F5 has rushed out emergency patches for two critical vulnerabilities in NGINX, one of the most widely used web servers on the internet. Both flaws — tracked as CVE-2026-42530 and CVE-2026-42055 — carry a CVSS severity score of 9.2 and let a remote, unauthenticated attacker run code on an affected server, as reported by The Hacker News. The bugs sit in NGINX’s HTTP/3 (QUIC) module and in its HTTP/2 proxy and gRPC handling.

If your business runs a website, web app or API behind NGINX — and a large share of Australian sites do, often without the owner realising — this is worth acting on. F5 hasn’t reported these particular flaws being exploited in the wild yet, but a similar critical NGINX bug last month was under attack within days of disclosure. A web server sitting in front of your customer-facing systems is exactly the kind of target attackers move on quickly.

Update to the patched releases as a priority: NGINX Open Source 1.31.2 or 1.30.3, and NGINX Plus R36 P6 or 37.0.2.1. If you can’t patch straight away, F5’s interim mitigations are to disable HTTP/3, and to remove the ignore_invalid_headers off directive (or drop your large_client_header_buffers size below 2 MB). If you’re not sure whether any of this applies to you, ask your hosting provider or IT team which version of NGINX you’re running and when it will be updated.

Keeping web-facing software patched before it turns into a problem is part of what managed security should cover. If patching across your environment is currently nobody’s clear responsibility, All IT’s cybersecurity team can take that off your plate.