CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-28755

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 0.9%

CVSS Severity

CVSS v3 Score 5.4

References

https://my.f5.com/manage/s/article/K000160368

Products affected by CVE-2026-28755

F5 » Nginx Open Source » Version: Any

cpe:2.3:a:f5:nginx_open_source:*
F5 » Nginx Open Source » Version: 1.28.2

cpe:2.3:a:f5:nginx_open_source:1.28.2
F5 » Nginx Open Source » Version: 1.29.0

cpe:2.3:a:f5:nginx_open_source:1.29.0
F5 » Nginx Open Source » Version: 1.29.5

cpe:2.3:a:f5:nginx_open_source:1.29.5
F5 » Nginx Plus » Version: r33

cpe:2.3:a:f5:nginx_plus:r33
F5 » Nginx Plus » Version: r34

cpe:2.3:a:f5:nginx_plus:r34
F5 » Nginx Plus » Version: r35

cpe:2.3:a:f5:nginx_plus:r35
F5 » Nginx Plus » Version: r36

cpe:2.3:a:f5:nginx_plus:r36

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-28755

Products

Pricing

Contact Us