F5 disclosed two critical RCE vulnerabilities (CVSS 9.5) in NGINX’s HTTP/3 QUIC and HTTP/2 proxy modules on June 18, 2026, affecting the full NGINX product family including Open Source, Plus, Gateway Fabric, Ingress Controller, Instance Manager, App Protect WAF, and App Protect DoS. A closely related NGINX RCE disclosed in May 2026 reached active exploitation within days, establishing a credible exploitation velocity baseline. Patches are available; apply immediately.