# Tell HN: A new Nginx 0-day just dropped

> Source: <https://news.ycombinator.com/item?id=48592738>
> Published: 2026-06-18 22:55:30+00:00

| ||||||||||||
7 points by |
We (Nebula Security) just dropped a nginx remote code execution 0-day. This vulnerability affect dozens of fortune 500 companies and we disclosed to nginx team immediately. This 0-day is the third nginx bug that receives "major" rating since 2014. (
To check if your server is impacted: 

```
  1. You are running NGINX Open Source v1.31.0 or v1.31.1

  2. Your NGINX configuration enables HTTP/3 / QUIC
```

 Immediate action:

```
  1. Upgrade NGINX to v1.31.2 or later
  
  2. If you cannot upgrade immediately, disable QUIC / HTTP/3 until you can patch
```

 Shameless plug: this is the second nginx RCE 0-day we found in a month, using our security agent VEGA. (see our first nginx RCE at
In the meantime, if you are interesting in trying VEGA on your codebase, reach out at etenz@nebusec.ai. | |||||||||||
|