Proof-of-concept exploit code is now publicly available for a critical NGINX vulnerability that went undetected for 16 years. The bug, tracked as CVE-2026-42945 with a CVSS score of 9.2, is a heap buffer overflow in the rewrite module that can cause denial-of-service conditions and potentially enable remote code execution if certain security protections are disabled. F5 has patched the vulnerability in both NGINX Plus and open source versions, and administrators are urged to update immediately as technical details of the exploit have been published.