GO-2024-2462: Arbitrary command execution in github.com/0xJacky/Nginx-UI
GO-2024-2464: Remote command execution in github.com/0xJacky/Nginx-UI
GO-2024-2480: Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI
GO-2024-2481: Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI
GO-2026-4614: Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI
GO-2026-4902: nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI
GO-2026-4903: nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI
GO-2026-4904: nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI
GO-2026-4906: nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse in github.com/0xJacky/Nginx-UI
GO-2026-4907: Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation in github.com/0xJacky/Nginx-UI
GO-2026-5210: Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints in github.com/0xJacky/Nginx-UI
GO-2026-5227: Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback in github.com/0xJacky/Nginx-UI
GO-2026-5412: Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim in github.com/0xJacky/Nginx-UI
GO-2026-5719: Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services in github.com/0xJacky/Nginx-UI
GO-2026-5733: Nginx-UI: Disabled users retain full API access through previously issued bearer tokens in github.com/0xJacky/Nginx-UI