Two zero-days in software that runs 30-40% of the entire internet. One in the reverse proxy that shields your site. The other in the self-hosted Git that holds your code. Both remotely exploitable, no authentication, no interaction. At Tech86, we've seen this combination before — and the pattern is clear: the most obvious entry points are the ones nobody audits.
NGINX PoolSlip: heap overflow in the rewrite module
CVE-2026-9256 is a heap buffer overflow in ngx_http_rewrite_module — the module that processes rewrite rules and redirects across every NGINX configuration. CVSS v4.0: 9.2. Pre-auth, remote, no interaction. A single crafted HTTP request.
The trigger: a rewrite directive with overlapping unnamed PCRE captures (^/((.*))$) combined with a replacement string referencing multiple captures ($1$2). NGINX underestimates the output size after URI escaping — each escapable byte expands from 1 to 3 bytes. The buffer is allocated for the raw size. The copy writes beyond it. Out-of-bounds write in worker memory.
The immediate impact is DoS via repeated worker crashes. With ASLR disabled or bypassable, the path to RCE in the worker context is open. And the researcher notes: the master forks workers with identical layout — crashing one worker and retrying is viable.
The configuration pattern that triggers PoolSlip isn't exotic. Rewrite rules with overlapping captures and multiple backreferences are common in API gateways, dynamic routing, and URL migrations. If your nginx.conf contains something like rewrite ^/((.*))$ /new-path/$1$2;, you're on the attack surface. And the probability that someone has already scanned for this configuration with automated tools is high.
Nine days, two heap overflows in the same module
Here's the point that cannot be ignored: CVE-2026-42945, the first heap overflow in the rewrite module, was patched in versions 1.31.0 and 1.30.1. Anyone who updated to those versions remains vulnerable to PoolSlip. Different bugs, same code. Two heap overflows in 9 days in the same module isn't coincidence — it's a signal that the rewrite engine needs deep auditing, not incremental patches.
The PoolSlip patch is in versions 1.31.1 and 1.30.2. The 0.x branch is EOL with no fix planned. Check the binary version, not the OS package version — the discrepancy is common and expensive.
The immediate mitigation is replacing unnamed captures with named captures in rewrite directives. This eliminates the vulnerable code path without requiring a reboot. But it's a workaround, not a structural solution. The NGINX rewrite engine is a subsystem with shared state between passes, conditional escaping, and multiple code paths — exactly the kind of surface where logical bugs accumulate undetected for years.
Gogs: argument injection with RCE and no patch
While NGINX patches in days, Gogs follows a different path. CVSS 9.4. Argument injection via branch name in pull requests. The attacker creates a branch with --exec in the name. When the merge uses "Rebase before merging," the command executes after each replayed commit. RCE with Gogs process privileges.
What makes this critical: open registration by default, no repository limit. The attacker creates an account, creates a repo, enables rebase, exploits. No interaction from another user. Self-contained RCE. With process access, the attacker reads private repos, dumps credentials, pivots to other systems, silently modifies code.
Rapid7 notified the maintainer in mid-March. As of May 29: no patch. Over two months. And this is the second Gogs zero-day in 6 months — the first, CVE-2025-8110, was reported by Wiz in December. Two zero-days in half a year, with slow response on both, is a pattern that signals a structural maintenance problem — not an isolated incident.
For teams relying on Gogs as their central code repository, the implication is direct: every day without patch is a day the attack surface grows. Automated exploitation tools make the discovery and abuse of vulnerabilities like this increasingly fast.
The lesson: convenience without maintenance is an easy target
Gogs is popular because it offers the convenience of a private GitHub at no cost. Small teams adopt it for simplicity. But the combination of open registration by default, months without a patch, and two zero-days in half a year turns that convenience into calculated risk — and the math doesn't favor whoever keeps the instance running.
At Tech86, our recommendation is direct: migrate to Gitea or Forgejo. They're Gogs forks with active maintenance, consistent security fixes, and engaged communities. Migration is relatively straightforward — both support direct import from Gogs repositories. If migration isn't immediate, disable open registration, disable rebase merging, and restrict network access. These three measures drastically reduce the surface — but they don't eliminate the vulnerability.
Conclusion
Two zero-days. Two pieces of software running at global scale. NGINX: two heap overflows in 9 days in the same module, patches in days but the exploitation window is real. Gogs: RCE with no patch for 2+ months, second zero-day in 6 months. Your reverse proxy and your self-hosted Git cannot be the entry points into your infrastructure.
At Tech86, we audit web infrastructure and code pipelines with security-by-design. We identify vulnerable configurations before they become exploits — and when the patch doesn't come, we build the defense layers that protect while the structural problem remains unsolved. Because in infrastructure, what isn't audited gets exploited.