HTTP/2 request injection in NGINX ngx_http_proxy_module

This repository is a self-contained lab and validation harness for CVE-2026-42926, described as an NGINX HTTP/2 frame injection issue caused by a vulnerable proxy configuration rather than remote code execution. The main exploit logic is in cve_2026_42926_lab.php, which classifies the NGINX version, verifies that the supplied configuration contains the required vulnerable pattern, constructs a crafted HTTP/2 DATA-frame-like header plus a unique marker, sends the payload to a target URL such as /exploit, and then inspects upstream JSON logs to decide whether injected frame evidence was observed. The exploit capability is therefore protocol-level injection validation against a reverse proxy path, not post-exploitation. Repository structure: the PHP script is the primary validator/exploit driver; nginx_config_verify.sh checks whether the target config uses proxy_http_version 2, proxy_set_body with a variable, and sufficient client_max_body_size; upstream_frame_logger.py is a raw TCP/HTTP2-aware listener that parses frame headers, records payloads, flags suspicious injected frames, and writes frames_<timestamp>.json logs; run_lab_comparison.sh automates side-by-side testing of a vulnerable and patched NGINX binary using separate log directories and result files; nginx_vulnerable.conf and docker/nginx_vulnerable.docker.conf provide the intentionally vulnerable proxy pattern for local and Docker use; Dockerfile and docker-compose.yml build and orchestrate the lab environment. Primary network targets/endpoints are the exposed NGINX listener (/exploit and /version), and the upstream logger on 127.0.0.1:8081 or upstream:8081. In Docker, nginx listens on 8080 and is exposed to the host as localhost:8080. The code also references local artifact paths for logs and results. Overall, this is an operational proof-of-concept lab that actively sends a crafted payload and validates whether upstream frame injection occurs under specific NGINX versions and configurations.