F5 disclosed two critical unauthenticated RCE vulnerabilities in NGINX’s HTTP/3 QUIC and HTTP/2 proxy modules, affecting a wide product family including NGINX Open Source, NGINX Plus, NGINX Gateway Fabric, NGINX Ingress Controller, and multiple App Protect and DoS products. No confirmed in-the-wild exploitation has been reported for these two CVEs, but a closely related NGINX RCE (CVE-2026-42945) was weaponized within days of disclosure last month, establishing a clear precedent for rapid weaponization of this vulnerability class. Patch within 24-48 hours.