Skip to content

bunkerweb

v1.6.11 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d Network Security
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

antibot security devops dnsbl docker hardening
+11 more
hosting kubernetes letsencrypt modsecurity nginx proxy security-tuning swarm waap web-application-firewall web-security

Affected surfaces

rce_ssrf breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 9d

The release updates nginx to version 1.30.2, which patches CVE‑2026‑9256, a heap buffer overflow vulnerability.

Why it matters: CVE‑2026‑9256 has severity score 95; upgrading nginx to 1.30.2 eliminates the vulnerability for any component relying on the nginx dependency.

Summary

AI summary

Updates All-in-one, BunkerWeb, and Scheduler across a mixed release.

Changes in this release

Security Critical

Updates nginx to 1.30.2, fixing CVE-2026-9256 heap buffer overflow vulnerability.

Updates nginx to 1.30.2, fixing CVE-2026-9256 heap buffer overflow vulnerability.

Source: llm_adapter@2026-05-25

Confidence: high
Full changelog

Documentation : https://docs.bunkerweb.io/1.6.11/

Docker tags :

  • All-in-one : bunkerity/bunkerweb-all-in-one:1.6.11 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.11
  • BunkerWeb : bunkerity/bunkerweb:1.6.11 or ghcr.io/bunkerity/bunkerweb:1.6.11
  • Scheduler : bunkerity/bunkerweb-scheduler:1.6.11 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.11
  • Autoconf : bunkerity/bunkerweb-autoconf:1.6.11 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.11
  • UI : bunkerity/bunkerweb-ui:1.6.11 or ghcr.io/bunkerity/bunkerweb-ui:1.6.11
  • API : bunkerity/bunkerweb-api:1.6.11 or ghcr.io/bunkerity/bunkerweb-api:1.6.11

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.11&filter=all&dist=

Changelog :

  • [SECURITY] nginx: update nginx to 1.30.2 (except for Fedora as it is not yet available) to fix CVE-2026-9256 — a heap buffer overflow in ngx_http_rewrite_module with overlapping captures that could lead to worker-process arbitrary code execution.

Security Fixes

  • CVE-2026-9256 — heap buffer overflow in ngx_http_rewrite_module causing worker-process arbitrary code execution
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track bunkerweb

Get notified when new releases ship.

Sign up free

About bunkerweb

Open-source and next-generation Web Application Firewall (WAF)

All releases →

Related context

Related CVEs

Beta — feedback welcome: [email protected]