CVE-2026-40460NVD

Vulnerability Summary

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity Level

MEDIUM(6.5)

Published Date

May 13, 2026

Last Modified

May 13, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.02%Probability

Root Weakness (CWE)

N/A

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityLow

IntegrityNone

AvailabilityLow

External References

https://my.f5.com/manage/s/article/K000161068

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-40460NVD

Vulnerability Summary

External References