Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-42063 (GCVE-0-2026-42063)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:10
VLAI?
EPSS
Title
iControl SOAP vulnerability
Summary
A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity ?
4.9 (Medium)
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
F5
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:57:58.509772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:10:54.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.2",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.6",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.2",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.\u003c/span\u003e\u0026nbsp;\u0026nbsp;\u003c/span\u003eNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003cbr\u003e"
}
],
"value": "A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:38.300Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000160973"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "iControl SOAP vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42063",
"datePublished": "2026-05-13T14:12:38.300Z",
"dateReserved": "2026-04-30T23:04:19.979Z",
"dateUpdated": "2026-05-13T16:10:54.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
FKIE_CVE-2026-42063
Vulnerability from fkie_nvd - Published: 2026-05-13 16:16 - Updated: 2026-06-23 13:57
Severity ?
Summary
A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://my.f5.com/manage/s/article/K000160973 | Mitigation, Vendor Advisory |
Impacted products
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.2",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.6",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.2",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
}
],
"source": "f5sirt@f5.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "84ACD36F-E97D-4DDA-A8FD-D911095C1035",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD71EC53-8ABC-410F-B031-0B3288D2E8DF",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E446AEE-1CB7-411C-9549-0E12C2EBBF9C",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AFDDB2A2-3B00-4454-A5BA-F181972B8B70",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D186FF46-E0B0-4B54-9EA9-87AD379FA600",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4AFFB39F-3E07-4316-9DD6-C36407B09C20",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "06CB53ED-B0CF-45D0-BF6B-C07C2B5AD3DA",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A6E75F5E-8C80-4287-84BF-6676B1029AA6",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F330E98-E773-4D93-855D-1D82644B3F73",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26D5B297-AAD7-4DF5-9C24-E9550DF2793A",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59042348-3748-48E0-B78B-D978C6B241B2",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5082DEBB-5C7F-41A2-B48F-0C72C3A6782B",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B010CF79-60CD-4B4C-BDCA-61FBD59397B9",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39AA59D4-6DE8-4ABA-9EEB-840755CA76A2",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C89D1A8-D453-4A12-97EA-6642F98FDA27",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83FBED4E-1977-45EF-8D33-4A24D81BFE7C",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "54BB0364-2EFA-442B-9DB2-3A49677D965C",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F64237A9-9AF0-4D01-958F-753862C33ABF",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2727CEE5-75FD-4345-88C1-3ED60AAF7DE3",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*",
"matchCriteriaId": "205B3D36-A3D8-4859-A3C4-2FA432B4A162",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA180633-8625-4F8E-90E2-235BCD334256",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66DDBE6D-423A-4F60-9D06-0E10CB93FB66",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "35FF40AC-3A3E-4B4B-83F4-BB6048FEBB72",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0B21289-FB5C-47FA-B054-50341236260D",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C83BE4EC-8775-4FF4-B362-9E6EBDD53A04",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C7F7C488-8C01-4EE7-A244-259237F06668",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "556AEFC8-8D4C-4E5A-9051-77424FAAC9D1",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E649795C-1B70-411B-B744-E0728109474D",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93597117-087D-4AAC-884F-8E1400D645FA",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "131D329E-0351-402B-BC67-698DC1C9A83E",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F95824A-E1F8-412E-B59D-8278AE3CB571",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C8EF0B1D-AE26-4283-8D84-5CECB245652F",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4996DCE3-8F39-4917-96A0-2C44C900DEE0",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA1487CA-A5F3-4689-9458-7309C2E17C9E",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48DBF1EA-4DFD-402F-81BC-430B7D74C5FD",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F234CDF-C413-4E70-9A97-6467ADB33EA9",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA32DFFC-6412-4BA9-9382-5E307539AF4D",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCBD1B79-3FC1-4288-BEF8-E5D60DA939A6",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D25B01D7-F665-47EE-9185-40581A6C3DA0",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83AD64DE-7D0B-4380-89E0-A06817B21606",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4AE71FB5-6842-4822-9CA4-1427BC9187BF",
"versionEndIncluding": "17.1.3",
"versionStartIncluding": "17.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F1516CC2-94CA-4FB2-AC5A-6CFB0580980C",
"versionEndIncluding": "17.5.1",
"versionStartIncluding": "17.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD3A2286-B181-47DA-BCB3-A9D0E0B357AC",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "004CBB88-E617-4A0A-BE42-E1E6BB52D736",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
"matchCriteriaId": "920FA89D-E154-4936-B88E-8B60D5B39B40",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94ADD021-8229-4CDE-AE73-33FB1BD4A3C5",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "216A1ED3-D0CD-4A08-B9E8-A5B54942E831",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA7B9727-7694-4D1B-8B48-175196544050",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5481F477-166F-4321-80A0-539095C6B829",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5462B02C-4414-4B14-A671-D8993BD9511D",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A6B33EA-BD41-45A1-801F-BF2439E4F501",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*",
"matchCriteriaId": "972BEB00-AAC3-42F7-BB45-881E1A3D1131",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
"matchCriteriaId": "226B7285-7977-4BBC-947E-E9541E1AAB89",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B49FF41-861D-488F-94DC-DAE222A9BE0D",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4962EDD5-384F-4ABC-8696-8C4AACEE19BD",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE7A5976-AAA0-4FF1-ADAC-4547F24765FA",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5728B748-0795-4056-91E8-B3A0DB3A3081",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C453B7CE-FBA6-46E7-975D-61D7A18773F9",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC77DFC2-A3DC-46E6-9419-0ABA84CD275E",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "25701935-02F5-4BD8-95F0-6693C6606558",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC71E265-C7B7-4A78-B73A-32B5FECE5D36",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B029869-31AB-4FE2-846E-FC6F7133ADF8",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2760AEE2-DCA4-4ED8-92DE-F409EED1A7D9",
"versionEndIncluding": "16.1.6",
"versionStartIncluding": "16.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F10F963B-348A-4819-9109-EF0F2304CCDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "003B47C5-A8E3-4ECD-B0E1-6FD3BCC6C00A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CCCB38CF-FCDA-4E62-8BEA-70DE61D617B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_analytics:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B1489ACC-1DCF-4107-A7A5-12E675B522F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B63EC396-5C6D-4F2B-AA4B-48C19A2DEF40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F401DC-AEE8-4DA1-8D54-51086557F0CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB3D5211-78EA-479C-A468-F3DD867DA377",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_automation_toolchain:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BF32E2A-2837-4F02-98D4-EC8D4AD7629A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7918553F-3A00-4F1F-8007-40C440D30EDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_container_ingress_services:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "63F0B2DD-6D9C-4A4E-AB9A-E417D0BA9725",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "961FD6A4-3969-4A7B-B154-71AB91102EDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0EA3A0ED-753C-4909-8EDC-294AF6873791",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B22E4040-EC36-44B7-AE6F-D8A5B982350F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "90819202-D6CE-4742-957E-32653AD75AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5E4DCF86-3120-4D11-8233-9E41BF6F1577",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_link_controller:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C3978168-BE6E-41DB-92A2-99843137BBFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2BBB888F-2AAF-4F90-82F7-12A79A5D9EC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA18854A-929E-4D5E-B2EC-9AC31A5694C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AB4EFA9A-FBB9-437C-9789-7C4EB489DD59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "900D8242-3139-443E-98A3-30A7D9A0CA42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_websafe:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4DF82E2E-B438-4205-8A58-802A1F22EB3E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"id": "CVE-2026-42063",
"lastModified": "2026-06-23T13:57:19.510",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "f5sirt@f5.com",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "f5sirt@f5.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-42063",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:57:58.509772Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-05-13T16:16:46.440",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://my.f5.com/manage/s/article/K000160973"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "f5sirt@f5.com",
"type": "Secondary"
}
]
}
GHSA-3XQ5-WVJC-3JPX
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI?
Details
A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity ?
4.9 (Medium)
{
"affected": [],
"aliases": [
"CVE-2026-42063"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:16:46Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-3xq5-wvjc-3jpx",
"modified": "2026-05-13T18:30:56Z",
"published": "2026-05-13T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42063"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000160973"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
CERTFR-2026-AVI-0591
Vulnerability from certfr_avis - Published: 2026-05-15 - Updated: 2026-05-15
De multiples vulnérabilités ont été découvertes dans les produits F5. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| F5 | N/A | BIG-IP APM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP DNS versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | BIG-IP | BIG-IP versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | BIG-IP Next | BIG-IP Next for Kubernetes versions 2.x antérieures à 2.2.0 | ||
| F5 | NGINX | F5 DoS for NGINX versions 4.8.0 | ||
| F5 | BIG-IP | BIG-IP versions 16.1.0 à 16.1.6 antérieures à 17.1.3 | ||
| F5 | N/A | BIG-IP DNS versions 17.5.0 à 17.5.1 antérieures à 21.0.0 | ||
| F5 | BIG-IP Next | BIG-IP Next SPK versions 1.7.0 à 1.7.16 antérieures à 1.7.17 | ||
| F5 | BIG-IP | BIG-IP versions 21.0.x antérieures à 21.0.0.2 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 21.0.0 antérieures à 21.0.0.1 (SSL Orchestrator 13.1.3) | ||
| F5 | BIG-IP Next | BIG-IP Next SPK versions 2.0.0 à 2.0.2 antérieures à 2.0.3 | ||
| F5 | NGINX | NGINX Open Source versions 1.0.0 à 1.30.0 antérieures à 1.30.1 | ||
| F5 | N/A | BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | NGINX | NGINX Gateway Fabric versions 1.3.0 à 1.6.2 | ||
| F5 | BIG-IP Next | BIG-IP Next CNF versions 2.0.0 à 2.0.2 antérieures à 2.0.3 | ||
| F5 | NGINX | NGINX App Protect DoS versions 4.3.0 à 4.7.0 | ||
| F5 | N/A | BIG-IP APM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX App Protect WAF versions 4.9.0 à 4.16.0 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 (SSL Orchestrator 12.3.2) | ||
| F5 | NGINX | NGINX Ingress Controller versions 5.0.0 à 5.4.2 | ||
| F5 | BIG-IP | BIG-IP versions 17.5.0 à 17.5.1 antérieures à 21.0.0.2 | ||
| F5 | NGINX | NGINX Ingress Controller versions 3.5.0 à 3.7.2 | ||
| F5 | NGINX | NGINX Open Source versions 0.3.50 à 0.9.7 antérieures à 1.30.1 | ||
| F5 | N/A | BIG-IP DNS versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | NGINX | NGINX Instance Manager versions 2.16.0 à 2.21.1 | ||
| F5 | N/A | BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX Plus versions R36 antérieures à R36 P4 | ||
| F5 | BIG-IQ | BIG-IQ Centralized Management versions 8.4.0 antérieures à 8.4.1 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 (SSL Orchestrator 12.3.2) | ||
| F5 | BIG-IP Next | BIG-IP Next CNF versions 1.1.0 à 1.4.0 antérieures à 1.4.1 | ||
| F5 | NGINX | NGINX App Protect WAF versions 5.1.0 à 5.8.0 | ||
| F5 | NGINX | NGINX Gateway Fabric versions 2.0.0 à 2.6.0 | ||
| F5 | NGINX | NGINX Ingress Controller versions 4.0.0 à 4.0.1 | ||
| F5 | N/A | BIG-IP PEM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP APM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP DNS versions 16.1.0 à 16.1.6 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP PEM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP PEM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX Plus versions R32 antérieures à R32 P6 | ||
| F5 | NGINX | F5 WAF for NGINX versions 5.9.0 à 5.12.1 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "BIG-IP APM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next for Kubernetes versions 2.x ant\u00e9rieures \u00e0 2.2.0",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "F5 DoS for NGINX versions 4.8.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 16.1.0 \u00e0 16.1.6 ant\u00e9rieures \u00e0 17.1.3",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 21.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next SPK versions 1.7.0 \u00e0 1.7.16 ant\u00e9rieures \u00e0 1.7.17",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.2",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 21.0.0 ant\u00e9rieures \u00e0 21.0.0.1 (SSL Orchestrator 13.1.3)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next SPK versions 2.0.0 \u00e0 2.0.2 ant\u00e9rieures \u00e0 2.0.3",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Open Source versions 1.0.0 \u00e0 1.30.0 ant\u00e9rieures \u00e0 1.30.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Gateway Fabric versions 1.3.0 \u00e0 1.6.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next CNF versions 2.0.0 \u00e0 2.0.2 ant\u00e9rieures \u00e0 2.0.3",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect DoS versions 4.3.0 \u00e0 4.7.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP APM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect WAF versions 4.9.0 \u00e0 4.16.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1 (SSL Orchestrator 12.3.2)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 5.0.0 \u00e0 5.4.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 21.0.0.2",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 3.5.0 \u00e0 3.7.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Open Source versions 0.3.50 \u00e0 0.9.7 ant\u00e9rieures \u00e0 1.30.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Instance Manager versions 2.16.0 \u00e0 2.21.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions R36 ant\u00e9rieures \u00e0 R36 P4",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IQ Centralized Management versions 8.4.0 ant\u00e9rieures \u00e0 8.4.1",
"product": {
"name": "BIG-IQ",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4 (SSL Orchestrator 12.3.2)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next CNF versions 1.1.0 \u00e0 1.4.0 ant\u00e9rieures \u00e0 1.4.1",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect WAF versions 5.1.0 \u00e0 5.8.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Gateway Fabric versions 2.0.0 \u00e0 2.6.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 4.0.0 \u00e0 4.0.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP APM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 16.1.0 \u00e0 16.1.6 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions R32 ant\u00e9rieures \u00e0 R32 P6",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "F5 WAF for NGINX versions 5.9.0 \u00e0 5.12.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-41227",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41227"
},
{
"name": "CVE-2026-39458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39458"
},
{
"name": "CVE-2026-42781",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42781"
},
{
"name": "CVE-2026-42780",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42780"
},
{
"name": "CVE-2026-40701",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40701"
},
{
"name": "CVE-2026-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42920"
},
{
"name": "CVE-2026-42409",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42409"
},
{
"name": "CVE-2026-42946",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42946"
},
{
"name": "CVE-2026-42937",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42937"
},
{
"name": "CVE-2026-42919",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42919"
},
{
"name": "CVE-2026-42934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42934"
},
{
"name": "CVE-2026-42406",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42406"
},
{
"name": "CVE-2026-40435",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40435"
},
{
"name": "CVE-2026-34176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34176"
},
{
"name": "CVE-2026-40629",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40629"
},
{
"name": "CVE-2026-32673",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32673"
},
{
"name": "CVE-2026-41953",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41953"
},
{
"name": "CVE-2026-40061",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40061"
},
{
"name": "CVE-2026-42924",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42924"
},
{
"name": "CVE-2026-41225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41225"
},
{
"name": "CVE-2026-35062",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35062"
},
{
"name": "CVE-2026-40423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40423"
},
{
"name": "CVE-2026-34019",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34019"
},
{
"name": "CVE-2026-42926",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42926"
},
{
"name": "CVE-2026-20916",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-20916"
},
{
"name": "CVE-2026-41957",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41957"
},
{
"name": "CVE-2026-39455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39455"
},
{
"name": "CVE-2026-40618",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40618"
},
{
"name": "CVE-2026-40631",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40631"
},
{
"name": "CVE-2026-32643",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32643"
},
{
"name": "CVE-2026-41217",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41217"
},
{
"name": "CVE-2026-40698",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40698"
},
{
"name": "CVE-2026-39459",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39459"
},
{
"name": "CVE-2026-40703",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40703"
},
{
"name": "CVE-2026-28758",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28758"
},
{
"name": "CVE-2026-41954",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41954"
},
{
"name": "CVE-2026-40699",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40699"
},
{
"name": "CVE-2026-40462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40462"
},
{
"name": "CVE-2026-41219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41219"
},
{
"name": "CVE-2026-24464",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24464"
},
{
"name": "CVE-2026-40067",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40067"
},
{
"name": "CVE-2026-42063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42063"
},
{
"name": "CVE-2026-42408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42408"
},
{
"name": "CVE-2026-40060",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40060"
},
{
"name": "CVE-2026-42945",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42945"
},
{
"name": "CVE-2026-41956",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41956"
},
{
"name": "CVE-2026-41218",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41218"
},
{
"name": "CVE-2026-41959",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41959"
},
{
"name": "CVE-2026-42930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42930"
},
{
"name": "CVE-2026-40460",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40460"
},
{
"name": "CVE-2026-42058",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42058"
}
],
"initial_release_date": "2026-05-15T00:00:00",
"last_revision_date": "2026-05-15T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0591",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-15T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits F5. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits F5",
"vendor_advisories": [
{
"published_at": "2026-05-13",
"title": "Bulletin de s\u00e9curit\u00e9 F5 K000160932",
"url": "https://my.f5.com/manage/s/article/K000160932"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…