CVE-2026-42530

EPSS 0.8%

hype MIXED · 52 hack

Real CVE with vendor patch and credible CVSS, but no confirmed PoC, KEV listing, or exploitation signal yet.

What: NGINX Open Source HTTP/3 module (ngx_http_v3_module) vulnerability allowing denial of service and code execution; affects NGINX 1.30.2 and 1.31.2. CVSS reported as 9.2 in chatter.

Why it matters: F5 released emergency patches; multiple CVEs bundled in advisory suggest coordinated disclosure. CVSS 9.2 is critical. Low EPSS (0.008) and no KEV listing yet suggest early-stage disclosure (June 17–19, 2026). Chatter emphasizes RCE risk but notes ASLR bypass requirement reduces immediate threat.

Where it's seen: Cybersecurity news outlets (TheHackerNews, security blogs), vendor advisory amplification via security alerts and researcher commentary. No confirmed PoC or in-the-wild exploitation mentioned; debate focuses on exploitation constraints and patch urgency.

RISK: HIGH — CVSS 9.2, RCE vector, emergency patching by vendor, but nascent disclosure window.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/19/2026, 8:49:31 AM

No NVD details ingested for this CVE yet.