https://pfisterer.xyz/en/tags/vulnerability/Recent content in Vulnerability on Pfisterer ConsultingHugoenFri, 15 May 2026 07:00:00 +0200https://pfisterer.xyz/en/news/nginx-rift-18-jahre-ki-audit-mittelstand/Fri, 15 May 2026 07:00:00 +0200https://pfisterer.xyz/en/news/nginx-rift-18-jahre-ki-audit-mittelstand/<p>On May 13, 2026, F5 and security researcher depthfirst publish a disclosure with weight behind it. CVE-2026-42945, codenamed <strong>NGINX Rift</strong>, CVSS 9.2. Unauthenticated remote code execution in the <code>ngx_http_rewrite_module</code> of NGINX. Affected: all open-source versions from 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. The bug has been in the code since 2008. Eighteen years.</p> <p>The actual punchline sits in the disclosure footnote. The bug was not found by a human researcher. It was found by an autonomous AI analysis system. Six hours of runtime against one of the most thoroughly reviewed open-source codebases on the planet. This is the direct confirmation of the thesis I sketched on May 13 in the article on the <a href="https://pfisterer.xyz/en/news/claude-mythos-firefox-glasswing-mittelstand/">Mythos Glasswing asymmetry</a> as something coming. It arrived a week later.</p>