Tell HN: A new Nginx 0-day just dropped

wpnews.pro

cd /news/ai-safety/tell-hn-a-new-nginx-0-day-just-dropp… · home › topics › ai-safety › article

[ARTICLE · art-34361] src=news.ycombinator.com ↗ pub=2026-06-18T22:55Z topic=ai-safety verified=true sentiment=↓ negative

Tell HN: A new Nginx 0-day just dropped

Nebula Security disclosed a new Nginx remote code execution 0-day affecting Fortune 500 companies. The vulnerability impacts Nginx Open Source versions 1.31.0 and 1.31.1 with HTTP/3 or QUIC enabled. Users are urged to upgrade to version 1.31.2 or disable QUIC immediately.

read1 min views1 publishedJun 18, 2026

| |||||||||||| 7 points by | We (Nebula Security) just dropped a nginx remote code execution 0-day. This vulnerability affect dozens of fortune 500 companies and we disclosed to nginx team immediately. This 0-day is the third nginx bug that receives "major" rating since 2014. ( To check if your server is impacted:

  1. You are running NGINX Open Source v1.31.0 or v1.31.1

  2. Your NGINX configuration enables HTTP/3 / QUIC

Immediate action:

  1. Upgrade NGINX to v1.31.2 or later
  
  2. If you cannot upgrade immediately, disable QUIC / HTTP/3 until you can patch

Shameless plug: this is the second nginx RCE 0-day we found in a month, using our security agent VEGA. (see our first nginx RCE at In the meantime, if you are interesting in trying VEGA on your codebase, reach out at etenz@nebusec.ai. | ||||||||||| |

source & further reading

news.ycombinator.com — original article Ask HN: How to stop your coding agent from creating just AI slop for the UI/UX? Where in the wave of Physical are we now? Poll: What's your primary AI coding agent/orchestrator?

~/api · this article 200

$curl api.wpnews.pro/v1/news/tell-hn-a-new-nginx-0-da…

Read original on news.ycombinator.com → news.ycombinator.com/item?id=48592738

mentioned entities

Nebula Security

Nginx

VEGA

metadata

slugtell-hn-a-new-nginx-0-day-just-dropped

topic#ai-safety

secondary2 topics

sentimentnegative

canonicalnews.ycombinator.com

navigation

← prevShow HN: Crawlie – Free open-sou…

next →Rethinking vulnerability managem…

── more in #ai-safety 4 stories · sorted by recency

techcrunch.com · 19 Jun · #ai-safety

Encryption, spyware, and now Mythos: History shows why cyber export control doesn’t work

letsdatascience.com · 19 Jun · #ai-safety

Reveal Life Science wins VivaTech OVHcloud startup prize

thenextweb.com · 19 Jun · #ai-safety

Trump says he no longer views Anthropic as a national security threat after G7 meeting with CEO

dev.to · 19 Jun · #ai-safety

Stop Wasting Tokens: I Built a File-Mapping Standard for AI-Assisted Development

── more on @nebula security 3 stories trending now

wpnews · 18 Jun · #artificial-intelligence

KubeCon, OpenInfra and PyTorch Unite to Scale AI

wpnews · 18 Jun · #ai-agents

How to Automate Business Reports With an AI Agent Instead of Dashboards

wpnews · 18 Jun · #ai-chips

Apple and Intel join forces in Trump’s push to bring chipmaking home

sponsored brought to you by zahid.host 4,200+ EU-deployed projects

reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main

→ Live at https://your-agent.zahid.host ✓

Get free account → Pricing

from €0/mo · no card required