Nginx

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

Identifies suspicious command executions via a web server on Linux systems, potentially indicating a vulnerability exploitation or remote shell access for persistence.

This rule detects potential command execution from a web server parent process on a Linux host, indicating a possible web shell attack where adversaries exploit web server vulnerabilities to execute arbitrary commands.

A vulnerability in Nginx allows a remote attacker to execute arbitrary code and cause a denial-of-service condition, affecting Nginx Open Source versions 1.x before 1.30.2, versions after 1.31.0 before 1.31.1, Nginx Plus versions 37.x before 37.0.1.1, and versions Rx before R36 P5 or R32 P7.

A remote, anonymous attacker can exploit a vulnerability in NGINX Open Source and NGINX Plus to perform a denial-of-service attack and potentially execute arbitrary code.

A commodity BadIIS malware variant is fueling a thriving malware-as-a-service (MaaS) ecosystem for Chinese-speaking cybercrime groups, allowing them to execute malicious SEO fraud, hijack server content, and redirect traffic to illicit sites.

NGINX JavaScript is vulnerable to a heap buffer overflow (CVE-2026-8711) when the js_fetch_proxy directive is configured with client-controlled variables and ngx.fetch(), allowing unauthenticated attackers to cause worker process restarts or, with ASLR disabled, code execution via crafted HTTP requests.

Multiple vulnerabilities in NGINX Open Source and NGINX Plus allow a remote, anonymous attacker to bypass security measures, execute arbitrary code, manipulate data, disclose confidential information, or cause a denial-of-service condition.

NGINX Plus and NGINX Open Source are vulnerable to a heap buffer overflow (CVE-2026-42945) due to crafted HTTP requests when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed PCRE capture with a replacement string that includes a question mark, potentially leading to denial of service or code execution.

A remote, authenticated attacker can exploit a vulnerability in nginx-ui to disclose sensitive information.

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability exploitable in certain Nginx configurations, allowing attackers to execute arbitrary code within the web server's context.

Nginx-UI is vulnerable to unauthenticated remote code execution (RCE) via the `POST /api/restore` endpoint, allowing attackers to inject arbitrary commands into the configuration.

AzuraCast is vulnerable to password reset poisoning due to unconditionally trusting the X-Forwarded-Host header, allowing an attacker to inject a malicious host into the password reset URL, exfiltrate the reset token, reset the victim's password, and disable 2FA, leading to account takeover.