A critical 18-year-old remote code execution flaw has been discovered in the Nginx web server, potentially allowing attackers to execute malicious code under specific conditions. The vulnerability, tracked as CVE-2026-42945, is a heap buffer overflow that had gone undetected for nearly two decades. Researchers from DepthFirst AI, utilizing their LLM-powered platform, identified this flaw along with three other bugs in Nginx1. The discovery underscores the limitations of traditional security scanning methods and highlights the importance of leveraging advanced technologies to identify hidden vulnerabilities. This finding expands the active attack surface, making it essential for practitioners to prioritize mitigation based on their exposure and available exploitation evidence. The fact that a vulnerability of this severity went undetected for so long emphasizes the need for ongoing, rigorous security testing and review of widely used open-source projects, so what matters most to practitioners is promptly assessing their exposure to CVE-2026-42945.