Skip to content
.ca
sign in
3 mincritical

Cyber Centre Daily Advisory Digest — 2026-04-16 (2 advisories)

The Canadian Centre for Cyber Security issued advisories for critical vulnerabilities in Drupal core and Nginx UI. Notably, the Nginx UI vulnerability (CVE-2026-33032) is currently being exploited in the wild, requiring immediate patching and monitoring of exposed management interfaces.

Sens:ImmediateConf:highAnalyzed:2026-04-16reports

Authors: Canadian Centre for Cyber Security

Exploited In The WildDrupalCVE-2026-33032XSSNginx UI

Source:Canadian Centre for Cyber Security

Key Takeaways

  • Nginx UI version v2.3.5 and prior are affected by a critical vulnerability (CVE-2026-33032) that is currently being exploited in the wild.
  • Drupal core is affected by a critical Cross-Site Scripting (XSS) vulnerability tracked as SA-CORE-2026-001.
  • Immediate patching or mitigation is required for both public-facing applications to prevent compromise.

Affected Systems

  • Drupal core (multiple versions)
  • Nginx UI (version v2.3.5 and prior)

Vulnerabilities (CVEs)

  • CVE-2026-33032
  • SA-CORE-2026-001

Attack Chain

Threat actors are actively exploiting CVE-2026-33032 in public-facing instances of Nginx UI (v2.3.5 and prior) to compromise affected systems. Concurrently, a critical cross-site scripting (XSS) vulnerability (SA-CORE-2026-001) in Drupal core allows attackers to potentially execute malicious scripts within the context of a victim's browser session.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Low — These are web application vulnerabilities; initial exploitation will primarily be visible in web server access logs and WAF telemetry rather than EDR, unless post-exploitation activities occur on the host. Network Visibility: Medium — Network intrusion detection systems and WAFs can potentially identify XSS payloads targeting Drupal or exploit attempts against Nginx UI if signatures are available. Detection Difficulty: Moderate — Detecting the Nginx UI exploitation depends on the availability of specific exploit signatures for CVE-2026-33032, which are not detailed in the advisory.

Required Log Sources

  • Web Server Access Logs
  • WAF Logs
  • Application Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual access patterns, unexpected error codes, or suspicious payloads in Nginx UI web logs indicating exploitation attempts of CVE-2026-33032.Web Server Access LogsInitial AccessLow
Search for suspicious JavaScript payloads or encoded characters in HTTP request parameters targeting Drupal core installations.WAF LogsInitial AccessMedium

Control Gaps

  • Unpatched public-facing infrastructure
  • Lack of WAF rules for newly disclosed vulnerabilities
  • Public exposure of management interfaces (Nginx UI)

Key Behavioral Indicators

  • Suspicious HTTP requests to Nginx UI endpoints
  • XSS payloads in Drupal web requests

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Update Nginx UI to a version later than v2.3.5 immediately due to active exploitation.
  • Apply the latest security updates for Drupal core to address the SA-CORE-2026-001 XSS vulnerability.

Infrastructure Hardening

  • Ensure public-facing applications are placed behind a Web Application Firewall (WAF).
  • Restrict access to management interfaces like Nginx UI to trusted IP addresses, management VLANs, or VPNs.

User Protection

  • N/A

Security Awareness

  • Monitor threat intelligence feeds for further technical details and IOCs related to the exploitation of CVE-2026-33032.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1059.007 - Command and Scripting Interpreter: JavaScript

Related