{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28753", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2026-03-18T16:06:38.435Z", "datePublished": "2026-03-24T14:13:26.107Z", "dateUpdated": "2026-03-24T15:24:34.995Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-03-24T14:49:49.169Z"}, "title": "NGINX ngx_mail_proxy_module vulnerability", "datePublic": "2026-03-24T14:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-93", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "affected": [{"vendor": "F5", "product": "NGINX Open Source", "modules": ["ngx_mail_proxy_module"], "versions": [{"status": "affected", "version": "1.29.0", "lessThan": "1.29.7", "versionType": "semver"}, {"status": "affected", "version": "0.6.27", "lessThan": "1.28.3", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "product": "NGINX Plus", "modules": ["ngx_mail_proxy_module"], "versions": [{"status": "affected", "version": "R36", "lessThan": "R36 P3", "versionType": "custom"}, {"status": "affected", "version": "R35", "lessThan": "R35 P2", "versionType": "custom"}, {"status": "affected", "version": "R34", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R33", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R32", "lessThan": "R32 P5", "versionType": "custom"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}]}], "references": [{"url": "https://my.f5.com/manage/s/article/K000160367", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Asim Viladi Oglu Manizada", "type": "reporter"}, {"lang": "en", "value": "Colin Warren", "type": "reporter"}, {"lang": "en", "value": "Xiao Liu (Yunnan University)", "type": "reporter"}, {"lang": "en", "value": "Yuan Tan (UC Riverside)", "type": "reporter"}, {"lang": "en", "value": "Bird Liu (Lanzhou University)", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:24:28.689685Z", "id": "CVE-2026-28753", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:24:34.995Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28753", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:24:28.689685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:24:31.847Z"}}], "cna": {"title": "NGINX ngx_mail_proxy_module vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Asim Viladi Oglu Manizada"}, {"lang": "en", "type": "reporter", "value": "Colin Warren"}, {"lang": "en", "type": "reporter", "value": "Xiao Liu (Yunnan University)"}, {"lang": "en", "type": "reporter", "value": "Yuan Tan (UC Riverside)"}, {"lang": "en", "type": "reporter", "value": "Bird Liu (Lanzhou University)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "modules": ["ngx_mail_proxy_module"], "product": "NGINX Open Source", "versions": [{"status": "affected", "version": "1.29.0", "lessThan": "1.29.7", "versionType": "semver"}, {"status": "affected", "version": "0.6.27", "lessThan": "1.28.3", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "modules": ["ngx_mail_proxy_module"], "product": "NGINX Plus", "versions": [{"status": "affected", "version": "R36", "lessThan": "R36 P3", "versionType": "custom"}, {"status": "affected", "version": "R35", "lessThan": "R35 P2", "versionType": "custom"}, {"status": "affected", "version": "R34", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R33", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R32", "lessThan": "R32 P5", "versionType": "custom"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-24T14:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000160367", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-03-24T14:49:49.169Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28753", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:24:34.995Z", "dateReserved": "2026-03-18T16:06:38.435Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2026-03-24T14:13:26.107Z", "assignerShortName": "f5"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*", "matchCriteriaId": "FA913184-EAAD-409E-99C6-AB979DAA93F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*", "matchCriteriaId": "782DF180-1101-4D6A-A1D7-8DADBAF6D9D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*", "matchCriteriaId": "FB0B11F2-4748-492B-9906-F8C4C5EAFF12", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*", "matchCriteriaId": "86B53968-1CCA-4CF3-8454-BB92EF64D10E", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*", "matchCriteriaId": "4F58BD02-EA76-4F32-87D6-430026C8553E", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*", "matchCriteriaId": "46DC49B8-7286-4867-9CDA-1C1B469CD304", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*", "matchCriteriaId": "43477C2E-7485-4146-B25C-F58D632CD85B", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*", "matchCriteriaId": "6A25B9CF-02C0-42DE-9C70-F2AD3ACE3CEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*", "matchCriteriaId": "86358605-55F9-4F6F-846A-3F48738F6E05", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*", "matchCriteriaId": "7453D683-FCA7-46EE-BE49-5FD9A01D7F87", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*", "matchCriteriaId": "A977BF9F-D165-4B93-B4D2-A177883A5E75", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*", "matchCriteriaId": "C643CEF2-F421-4E2C-AD39-51CE820F2238", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*", "matchCriteriaId": "4958360C-7993-4C82-8685-202D4940CE01", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*", "matchCriteriaId": "942CA349-3FF8-4B9D-B87E-FBA8930CE913", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*", "matchCriteriaId": "7993A0FB-BE7E-4634-BF7F-FDEE3582D3E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*", "matchCriteriaId": "862EA47E-8D57-434E-9C8F-238325FB85B2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAFF8985-B90A-4E7F-8EB6-7DBD9779CEE6", "versionEndIncluding": "0.9.7", "versionStartIncluding": "0.6.27", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E8049B1-4C36-4711-BB99-2721CF67FF81", "versionEndExcluding": "1.28.3", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0EFE28B-E8E5-464E-B407-96436CA87C8E", "versionEndExcluding": "1.29.7", "versionStartIncluding": "1.29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "NGINX Plus y NGINX Open Source tienen una vulnerabilidad en el m\u00f3dulo ngx_mail_smtp_module debido al manejo inadecuado de secuencias CRLF en las respuestas DNS. Esto permite a un servidor DNS controlado por el atacante inyectar encabezados arbitrarios en las solicitudes upstream SMTP, lo que lleva a una posible manipulaci\u00f3n de solicitudes. Nota: Las versiones de software que han alcanzado el Fin de Soporte T\u00e9cnico (EoTS) no son evaluadas."}], "id": "CVE-2026-28753", "lastModified": "2026-03-26T21:15:24.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "f5sirt@f5.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2026-03-24T15:16:33.560", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000160367"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "f5sirt@f5.com", "type": "Primary"}]}

{"bugzilla": {"description": "NGINX: NGINX Plus: NGINX Open Source: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests", "id": "2450780", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450780"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-93", "details": ["A flaw was found in NGINX Plus and NGINX Open Source, specifically within the ngx_mail_smtp_module. This vulnerability allows an attacker-controlled DNS (Domain Name System) server to inject arbitrary headers into SMTP (Simple Mail Transfer Protocol) upstream requests. This is due to the improper handling of Carriage Return (CRLF) sequences in DNS responses. The primary consequence is the potential manipulation of these requests, which could alter their intended behavior."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-28753", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nginx:1.26/nginx", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T14:13:26Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28753\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28753\nhttps://my.f5.com/manage/s/article/K000160367"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.29.0,1.29.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.6.27,1.28.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NGINX Open Source", "source": "cna", "vendor": "F5"}, "product": "nginx_open_source", "vendor": "f5"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R36,R36 P3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R35,R35 P2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R34,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R33,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R32,R32 P5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NGINX Plus", "source": "cna", "vendor": "F5"}, "product": "nginx_plus", "vendor": "f5"}], "analysis": {"en": {"generated_at": "2026-03-26T23:24:29.980818+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor\u2011published patch for NGINX Open Source and NGINX Plus that fixes CRLF handling in ngx_mail_smtp_module.", "If an upgrade cannot be performed immediately, disable the ngx_mail_smtp_module or configure NGINX to use a trusted DNS resolver to prevent malicious DNS responses.", "Monitor SMTP traffic for unexpected headers and review logs for anomalous SMTP command sequences.", "Verify that outbound DNS queries are made to a secure DNS provider and consider DNSSEC validation if supported."], "summary": {"action": "Patch Now", "impact": "SMTP header injection"}, "threat_synthesis": {"affected_systems": "This flaw affects F5 NGINX Open Source and all NGINX Plus releases from R32 through R36, covering multiple patch levels (p1, p2, p3, p4, etc.) as listed in the CPE data. Versions that have reached End of Technical Support are excluded from the CVE assessment.", "description_and_impact": "The vulnerability originates in the ngx_mail_smtp_module, where improper handling of CRLF sequences in DNS responses allows an attacker-controlled DNS server to inject arbitrary SMTP headers into upstream requests. This can lead to manipulation of the SMTP command stream, including forged message headers or altered control flow, potentially enabling replay attacks, bypassing email authentication, or compromising email integrity. The weakness is classified under CWE\u201193: Improper Handling of CRLF Sequences.", "risk_and_exploitability": "The CVSS base score is 6.3, indicating medium severity. The EPSS value of less than 1\u202f% and the lack of inclusion in the CISA KEV catalog suggest a low likelihood of widespread exploitation. Exploitation requires control over a DNS server that NGINX queries during SMTP processing, meaning the attack vector is network-based and limited to deployments using untrusted DNS resolvers. Successful exploitation would allow an attacker to alter SMTP traffic and potentially compromise email confidentiality and integrity."}}}}, "created": "2026-03-25T11:47:25.689316+00:00", "updated": "2026-03-27T09:21:02.714905+00:00", "vendors": ["f5", "f5$PRODUCT$nginx_open_source", "f5$PRODUCT$nginx_plus"]}