A critical vulnerability in the NGINX rewrite module, undetected for 18 years, has been discovered, allowing for unauthenticated remote code execution. The flaw, identified as CVE-2026-42945, affects both NGINX Plus and NGINX Open, with a CVSS v4 score of 9.2, indicating a high-severity threat. This heap buffer overflow issue in the ngx_http_rewrite_module could be exploited by attackers to execute arbitrary code or cause a denial-of-service condition. The vulnerability was uncovered by depthfirst researchers, who brought attention to the long-standing weakness1. Given the widespread use of NGINX, this disclosure significantly expands the active attack surface, making it essential for practitioners to prioritize mitigation based on their exposure and evidence of exploitation. The fact that this vulnerability went undetected for nearly two decades underscores the importance of continuous security assessments and updates, so what matters most to practitioners is promptly addressing this vulnerability to prevent potential attacks.