CVE-2026-33032 is a CVSS 9.8 unauthenticated remote code execution vulnerability in NGINX-UI, a third-party web management interface for NGINX servers, with active exploitation reported and an EPSS score at the 95th percentile. NGINX-UI is not part of core NGINX; organizations may not track it in vulnerability management programs that scope only the upstream NGINX package. Note: specific affected version range and patch version require human verification against NVD and the NGINX-UI project repository, as this data was not confirmed in available sources at time of publication.