Nginx versions prior to 1.29.7 are affected by a path traversal vulnerability (CVE-2026-27654, CVSS 7.5) exploitable only when the WebDAV module is enabled alongside alias directives and COPY or MOVE methods — a non-default configuration. Exploitation could allow unauthenticated remote file read or write outside the WebDAV root, but default Nginx deployments are not affected and current EPSS is low (9.93rd percentile). Organizations should inventory Nginx deployments for the vulnerable configuration combination, disable COPY/MOVE from dav_methods where not required, and upgrade to 1.29.7; Nginx Plus deployments should reference F5 advisory K000160382.