CVE-2026-27944 is the highest-priority item in this rollup: a CISA KEV-confirmed, unauthenticated critical vulnerability (CVSS 9.8) that exposes a full system backup and its decryption key in a single HTTP request, no credentials required. Exposed data includes user credentials, session tokens, SSL/TLS private keys, and Nginx configurations, giving an attacker immediate leverage over downstream systems. Emergency action required: block the /api/backup endpoint at the perimeter immediately and upgrade to Nginx UI version 2.3.3 or later without delay.