CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

F5 security advisory (AV26-612)

unknown
Serial number: AV26-612 Date: June 17, 2026 On June 17, 2026, F5 published a security advisory to address vulnerabilities in the following products: F5 DoS for NGINX - version 4.9.0 F5 WAF for NGINX Instance Manager - versions 5.9.0 to 5.13.1 NGINX App Protect DoS - versions 4.3.0 to 4.7.0 NGINX App Protect WAF - versions 5.2.0 to 5.8.0 and 4.10.0 to 4.16.0 NGINX Open Source - versions 1.30.0 to 1.30.2 and 1.31.0 to 1.31.1 NGINX Instance Manager - versions 2.17.0 to 2.22.0 NGINX Gateway Fabric - multiple versions NGINX Ingress Controller - multiple versions NGINX Plus - version 37.0.0 R33 to 37.01 R36 The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates. K000161614: Out-of-band Security Notification (June 17, 2026) MyF5

CSIRTS triage

vendor: F5product: NGINXOtheraffected: 4.9.0, 5.9.0 to 5.13.1, 4.3.0 to 4.7.0, 5.2.0 to 5.8.0, 4.10.0 to 4.16.0, 1.30.0 to 1.30.2, 1.31.0 to 1.31.1, 2.17.0 to 2.22.0, 37.0.0 R33 to 37.01 R36
What
Multiple vulnerabilities have been identified in various F5 NGINX products.
Who is affected
Users and administrators of the affected F5 NGINX products.
Urgency
Remediation is encouraged due to the potential impact of the vulnerabilities.
Action
Users should apply the necessary updates as recommended in the advisory.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch NGINX

Get an email when a new NGINX advisory drops — max one per day, one-click unsubscribe.

Details

Source
Canadian Centre for Cyber Security (CA · national-cert · site)
Severity
unknown
Published
2026-06-17
Exploitation
Not in CISA KEV at last sync

Original advisory: https://cyber.gc.ca/en/alerts-advisories/f5-security-advisory-av26-612

More from Canadian Centre for Cyber Security