NGINX, Drupal, Cisco Face Critical CVEs in May 2026

Three widely deployed platforms — NGINX, Drupal, and Cisco Secure Workload — disclosed and patched critical vulnerabilities in May 2026, with active exploitation already confirmed for two of them. The flaws span heap buffer overflows, SQL injection, and unauthenticated API access, each carrying CVSS scores above 9.0.

NGINX CVE-2026-42945 Draws Active Attacks Days After Patch

CVE-2026-42945, a heap buffer overflow in NGINX’s `ngxhttprewrite_module`, was patched by F5 as part of its quarterly release cycle — but exploitation began within days. VulnCheck researcher Patrick Garrity warned that “we’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published.”

The vulnerability carries a CVSS score of 9.2 and had existed in NGINX’s codebase for 16 years before being patched. According to SecurityWeek’s coverage of the active exploitation, the flaw stems from a two-pass process in NGINX’s script engine: one pass computes the required buffer size, the other copies data. When a rewrite rule containing a question mark is used, an unpropagated flag causes an undersized buffer allocation, allowing attacker-controlled data to be written past the heap boundary.

On default deployments, successful exploitation triggers a server restart — a denial-of-service condition. Remote code execution is possible only if Address Space Layout Randomization (ASLR) is disabled, which F5 noted is not the default on most systems.

Exploitability and Exposure

VulnCheck reported that a Censys query surfaces roughly 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, though the truly exploitable population is a smaller subset requiring a specific rewrite configuration. Exploitation without authentication is possible via crafted HTTP requests, making unauthenticated remote attack vectors a realistic concern for misconfigured deployments.

Security firm Depthfirst published technical details and proof-of-concept code shortly after the patch dropped, describing a technique using “cross-request heap feng shui” to corrupt an adjacent memory pool’s cleanup pointer and redirect execution. Achieving RCE requires overwriting fields in NGINX’s memory pool without crashing the worker process — a non-trivial but documented technique.

Drupal Patches SQL Injection Flaw in PostgreSQL Deployments

Drupal released patches on May 20, 2026 for CVE-2026-9082, a highly critical SQL injection vulnerability rated 20 out of 25 on NIST’s CMSS scale. The flaw exists in an API designed to sanitize database queries, and Drupal’s advisory warned that “a vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases.”

The vulnerability can be exploited without authentication to extract information and, in some configurations, to escalate privileges or achieve remote code execution. Drupal developers had pre-announced the patch window — May 20, 17:00–21:00 UTC — warning that an exploit might be created within hours or days of disclosure.

CVE-2026-9082 affects only sites running PostgreSQL. According to SecurityWeek’s report on the patch, Drupal developers estimate fewer than 5% of Drupal-powered websites use PostgreSQL, limiting the blast radius. Patches are available for Drupal versions 11.3, 11.2, 10.6, and 10.5.x.

The same update also addresses important vulnerabilities in Symfony and Twig dependencies. Drupal recommends updating those components regardless of whether a site uses PostgreSQL. A May 22 update to SecurityWeek’s coverage noted that threat actors had begun actively exploiting the vulnerability, consistent with the developers’ pre-patch warning. The last time a Drupal flaw was exploited in the wild was 2019, following the Drupalgeddon and Drupalgeddon2 campaigns that compromised large numbers of websites.

Cisco Secure Workload Gets a Perfect 10 CVSS Patch

Cisco on Wednesday patched CVE-2026-20223 in Cisco Secure Workload, a flaw carrying a CVSS score of 10.0 — the maximum. According to Cisco’s advisory, the vulnerability exists due to insufficient validation and authentication in the product’s REST API endpoints.

Successful exploitation allows an attacker to read sensitive information and modify configurations across tenant boundaries with Site Admin privileges — the highest access level in the platform. The flaw affects both SaaS and on-premises deployments regardless of device configuration, though Cisco clarified it does not affect the web-based management interface.

Cisco addressed the issue in Secure Workload versions 3.10.8.3 and 4.0.3.17. The company said it is not aware of active exploitation and recommends all users update immediately. Alongside the Secure Workload fix, Cisco released patches for three medium-severity bugs in ThousandEyes Virtual Appliance, ThousandEyes Enterprise Agent, and Nexus 3000 and 9000 series switches — flaws that could allow remote command execution with root privileges or trigger BGP peer flaps causing denial-of-service conditions.

What This Means

The May 2026 disclosure window illustrates a pattern that security teams have limited tools to counter: PoC code for CVE-2026-42945 appeared within days of F5’s patch, and active exploitation followed almost immediately. The 16-year dwell time of the NGINX flaw underscores how long heap memory mismanagement bugs can survive in widely audited open-source codebases.

For Drupal, the pre-announcement strategy — alerting administrators to reserve patching time before disclosing technical details — is a reasonable mitigation tactic, but the May 22 confirmation of active exploitation suggests the window between patch release and weaponization is compressing. The PostgreSQL scope limitation reduces overall exposure, but unauthenticated SQL injection with RCE potential on any production CMS warrants immediate action.

Cisco’s perfect-10 CVE in Secure Workload is notable for its cross-tenant scope: an attacker who can send a crafted API request gains Site Admin access across organizational boundaries, making it particularly dangerous in shared or multi-tenant deployments. None of Cisco’s May patches show signs of in-the-wild exploitation yet, but the severity warrants treating the update window as urgent.

Administrators running any of these platforms should prioritize patching in the order of confirmed exploitation risk: NGINX first, Drupal second, Cisco Secure Workload third.

FAQ

What is CVE-2026-42945 and which NGINX versions are affected?

CVE-2026-42945 is a heap buffer overflow in NGINX’s `ngxhttprewrite_module`, carrying a CVSS score of 9.2. It affects both NGINX Plus and NGINX Open Source on deployments using rewrite and set directives, and was patched by F5 in its May 2026 quarterly release.

Does the Drupal SQL injection flaw affect all Drupal sites?

No. CVE-2026-9082 only affects Drupal sites running PostgreSQL databases. Drupal developers estimate fewer than 5% of Drupal-powered websites use PostgreSQL, though all supported versions — 10.5.x through 11.3 — require the patch.

Is Cisco CVE-2026-20223 being actively exploited?

Cisco said as of its Wednesday advisory that it is not aware of active exploitation of CVE-2026-20223. The company nonetheless recommends immediate updates to Secure Workload versions 3.10.8.3 or 4.0.3.17 given the vulnerability’s maximum CVSS score of 10.0 and its ability to grant Site Admin access without authentication.