CVE-2026-28753 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2026-28753?

CVE-2026-28753 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-28753?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Nginx Plus, F5 Nginx Open Source.

Vulnerability Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
F5	Nginx Plus	r32
F5	Nginx Open Source	>= 0.6.27, <= 0.9.7

Related Weaknesses (CWE)

CWE-93

References

https://my.f5.com/manage/s/article/K000160367Vendor Advisory

FAQ

What is CVE-2026-28753?

CVE-2026-28753 is a vulnerability with a CVSS score of 3.7 (LOW). NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server ...

How severe is CVE-2026-28753?

CVE-2026-28753 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-28753?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Nginx Plus, F5 Nginx Open Source.