winget install --id nginxinc.nginxAbout nginx
NGINX is the world's most popular Web Server, high performance Load Balancer, Reverse Proxy, API Gateway and Content Cache.
What's new in 1.31.0
*) Security: when using the "proxy_set_body" directive, an attacker might inject data in the proxied request to an HTTP/2 backend (CVE-2026-42926). Thanks to Mufeed VH of Winfunc Research. *) Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_rewrite_module, potentially resulting in arbitrary code execution (CVE-2026-42945). Thanks to Leo Lin. *) Security: a heap memory buffer overread might occur in a worker process while handling a specially crafted response by ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker to cause a disclosure of worker process memory or segmentation fault in a worker process (CVE-2026-42946). Thanks to Leo Lin. *) Security: a heap memory buffer overread might occur in a worker process while handling a specially sent response with decoding from UTF-8 via the "charset_map" directive, allowing an attacker to cause a limited disclosure of worker proccess memory or segmentation fault in a worker process (CVE-2026-42934). Thanks to David Carlier. *) Security: when using HTTP/3, processing of connection migration might cause new QUIC streams to receive a new client address before validation, allowing an attacker to cause address spoofing (CVE-2026-40460). Thanks to Rodrigo Laneth. *) Security: use-after-free might occur during DNS server response processing if the "ssl_ocsp" directive was used, allowing an attacker to cause worker process memory corruption or segmentation fault in a worker process (CVE-2026-40701). Thanks to Leo Lin. *) Change: now nginx rejects H...
Version history
| Version | Updated | Notes |
|---|---|---|
| 1.31.0 | Unknown | *) Security: when using the "proxy_set_body" directive, an attacker might inject data in the proxied request to an HTTP/2 backend (CVE-2026-42926). Thanks to Mufeed VH of Winfunc Research. *) Security: a heap memory buff... |
| 1.29.8 | Unknown | Feature: the "max_headers" directive. Thanks to Maxim Dounin. Feature: OpenSSL 4.0 compatibility. Feature: now the "include" directive inside the "geo" block supports wildcards. Bugfix: in processing of HTTP 103 (Early H... |
| 1.29.7 | Unknown | *) Security: a buffer overflow might occur while handling a COPY or MOVE request in a location with "alias", allowing an attacker to modify the source or destination path outside of the document root (CVE-2026-27654). Th... |
| 1.29.6 | Unknown | Feature: session affinity support; the "sticky" directive in the "upstream" block of the "http" module; the "server" directive supports the "route" and "drain" parameters. Change: now nginx limits the size and rate of QU... |
| 1.29.5 | Unknown | - Security: an attacker might inject plain text data in the response from an SSL backend (CVE-2026-1642). - Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend. - Bugfix: an invalid HTTP... |
| 1.29.4 | Unknown | Release notes |
| 1.29.3 | Unknown | Release notes |
| 1.29.2 | Unknown | Release notes |
| 1.29.1 | Unknown | Release notes |
| 1.29.0 | Unknown | Release notes |
| 1.28.2 | Unknown | Release notes |
| 1.28.1 | Unknown | Release notes |
| 1.28.0 | Unknown | Release notes |
| 1.27.5 | Unknown | Release notes |
| 1.27.4 | Unknown | No notes |
| 1.27.2 | Unknown | Release notes |