CVEFinder.io

CVE-2020-19692

β›” critical
πŸ” Scan for this CVE
Summary

Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs_module_read in the njs_module.c file.

CVSS Score
9.8
Critical
EPSS Score
1.3
Exploit Probability
Published Date
2023-04-04
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.5% of all 326,604 vulnerabilities in our database.

#31,067
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Feb 18, 2025
πŸ” Exploitation Status
Poc
Proof-of-concept available
βš™οΈ Automatable
YES
Can be exploited automatically
πŸ’₯ Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2025-08-12
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-120

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
f5 njs Affected
< 0.3.4

πŸ”— References 1

https://github.com/nginx/njs/issues/187
Exploit Issue Tracking

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8711 ⚠️ high 8.1 0.1 NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlle... 2026-05-19
CVE-2023-27727 ⚠️ high 7.5 0.1 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_func... 2023-04-09
CVE-2023-27728 ⚠️ high 7.5 0.1 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_dump_is_recursive at src/njs_v... 2023-04-09
CVE-2023-27729 ⚠️ high 7.5 0.1 Nginx NJS v0.7.10 was discovered to contain an illegal memcpy via the function njs_vmcode_return at src/njs_vmcode.c. 2023-04-09
CVE-2023-27730 ⚠️ high 7.5 0.1 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_lvlhsh_find at src/njs_lvlhsh.... 2023-04-09
CVE-2020-19695 β›” critical 9.8 1.4 Buffer Overflow found in Nginx NJS allows a remote attacker to execute arbitrary code via the njs_object_property parame... 2023-04-04
These CVEs affect the same products