Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.
Get a demo Acunetix Website Security Scanner Get a demo
  • Product
  • Why Acunetix?
    • Solutions
      • INDUSTRIES
        • IT & Telecom
        • Government
        • Financial Services
        • Education
        • Healthcare
      • ROLES
        • CTO & CISO
        • Engineering Manager
        • Security Engineer
        • DevSecOps
    • Case Studies
    • Customers
    • Testimonials
  • Pricing
  • About Us
    • Our story
    • In the news
    • Careers
    • Contact
  • Resources
    • Blog
    • Webinars
    • White papers
    • Buyer’s guide
    • Partners
    • Documentation
  • Get a demo
WEB APPLICATION VULNERABILITIES Standard & Premium

Nginx UI Information Disclosure (CVE-2026-27944)

Description

Nginx UI before version 2.3.3 contains an information disclosure vulnerability in the unauthenticated /api/backup endpoint, which exposes encryption keys via the X-Backup-Security response header. An unauthenticated attacker can use the exposed key to download and decrypt full system backups, gaining access to sensitive data including credentials and private keys.

Remediation

Upgrade to the latest Nginx UI version

References

GitHub Advisory GHSA-g9w5-qffc-6762

Tenable Research TRA-2026-17

Related Vulnerabilities

TYPO3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2024-34355)

Serendipity Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-5314)

phpMyFAQ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-2999)

Oracle HTTP Server Other Vulnerability (CVE-2004-2115)

MediaWiki CVE-2023-45372 Vulnerability (CVE-2023-45372)

Severity

Critical

Classification

CVE-2026-27944 CWE-306 CWE-311 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Information Disclosure Known Vulnerabilities

Take action and discover your vulnerabilities

Get a demo
Client: AWS
Client: Cognizant
Client: Garmin
Client: Airforce
Client: NASA
Client: American Express
Product Information
  • AcuSensor Technology
  • AcuMonitor Technology
  • Acunetix Integrations
  • Vulnerability Scanner
  • Support Plans
Use Cases
  • Penetration Testing Software
  • Website Security Scanner
  • External Vulnerability Scanner
  • Web Application Security
  • Vulnerability Management Software
Website Security
  • Cross-site Scripting
  • SQL Injection
  • Reflected XSS
  • CSRF Attacks
  • Directory Traversal
Learn More
  • White Papers
  • TLS Security
  • WordPress Security
  • Web Service Security
  • Prevent SQL Injection
Company
  • About Us
  • Customers
  • Become a Partner
  • Careers
  • Contact
Documentation
  • Case Studies
  • Documentation
  • Videos
  • Vulnerability Index
  • Webinars
  • Login
  • Invicti Subscription Services Agreement
  • Privacy Policy
  • Terms of Use
  • Sitemap
  • Follow us on Twiter
  • Follow us on LinkedIn

© Acunetix 2026, by Invicti