CVE-2026-27654 is a buffer overflow in NGINX Open Source and NGINX Plus affecting ngx_http_dav_module during WebDAV COPY and MOVE processing. The issue is triggered in configurations that use DAV COPY or MOVE methods together with a prefix location (non-regex location) and an alias directive. Supporting analysis indicates the vulnerable path involves ngx_http_dav_copy_move_handler(), with the overflow driven by an unsigned underflow in ngx_http_map_uri_to_path() when the Destination header is shorter than the configured location prefix. This can corrupt path buffer calculations in the NGINX worker process and lead to overflow while constructing source or destination filesystem paths. As a result, an attacker can crash the worker process or alter source/destination file names so operations occur outside the intended document root or WebDAV root.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a small standalone Python proof-of-concept for CVE-2026-27654, a heap buffer overflow in nginx's ngx_http_dav_module. The repo contains three files: LICENSE, README.md, and the main exploit script poc.py. README.md documents the vulnerability, affected/fixed versions, required nginx configuration, and expected crash behavior. The only code file, poc.py, is the entry point and implements the full exploit flow. The exploit is network/web-based and targets nginx DAV endpoints exposed over HTTP. It first checks target reachability, then optionally uploads a file using HTTP PUT to /uploads/triggerfile.txt. After that it sends a crafted HTTP MOVE request for that file with a Destination header pointing to an absolute URI whose path is /x. The script is explicitly designed around a vulnerable configuration where the DAV location prefix is /uploads/ and nginx uses alias /data/files/. Because the destination path is shorter than the location prefix, nginx performs an unsigned length subtraction that underflows, leading to a wrapped allocation size and an oversized copy, causing heap corruption and typically a worker crash. Capabilities are limited to vulnerability triggering and validation rather than post-exploitation. There is no shell payload, persistence, credential theft, or lateral movement logic. The practical result is remote denial of service against a vulnerable nginx worker, with the script also reporting likely patched behavior (HTTP 400), timeout/restart conditions, or connection reset indicating a crash. Overall, this is a genuine PoC exploit focused on reliable crash reproduction for defensive testing and verification.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A high-severity heap buffer overflow in nginx WebDAV COPY/MOVE handling with the alias directive, caused by a size_t underflow in path buffer calculation.
A heap buffer overflow vulnerability in NGINX’s DAV COPY/MOVE handling under specific alias configuration.
A heap buffer overflow in nginx WebDAV handling that can escape the WebDAV root and allow remote attackers to read or write files accessible to the worker UID under specific non-default configurations.
A buffer overflow vulnerability in the ngx_http_dav_module of NGINX Open Source and NGINX Plus that can crash the NGINX worker process or modify source/destination file names outside the document root under specific DAV module configurations.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.