HeroDevs
Visit NES for Ingress NGINX Home Page

NES for Ingress NGINX Release Notes

Comprehensive release notes and changelog for NES for Ingress NGINX, including security patches, bug fixes, and feature updates across all supported versions.

5 Patched Vulnerabilities
VEX Statements

Ingress NGINX

1.15.2 (NES) - April 20, 2026

Container Image: registry.nes.herodevs.com/neverendingsupport/ingress-nginx-controller:v1.15.1-nes-1.15.2

Helm Chart: HeroDevs/ingress-nginx --version 0.0.2 (see Helm Charts)

Based on upstream ingress-nginx v1.15.1 Go version: 1.26.2 NGINX version: 1.27.1 (compiled from source on Alpine 3.23.3)

This release addresses multiple high-severity CVEs across the Go toolchain and Go module dependencies.

For upgrade instructions using the NES for Ingress NGINX Helm chart, see Helm Charts.

Go Toolchain

  • CVE-2026-32282 — (Medium, CVSS 6.4) — Root.Chmod follows symlinks outside root via TOCTOU race on Linux (internal/syscall/unix). Fixed by upgrading Go 1.26.1 → 1.26.2.

Go Module Dependencies

  • CVE-2024-44337 (Medium, CVSS 5.1) — github.com/gomarkdown/markdown: Infinite loop in paragraph parser causes denial-of-service. Bumped to patched version.
  • CVE-2026-35204 (High, CVSS 8.4) — helm.sh/helm/v4: Path traversal in plugin version field allows arbitrary file write (CWE-22). Upgraded helm v4.1.3 → v4.1.4.
  • CVE-2026-35205 (High, CVSS 8.4) — helm.sh/helm/v4: Missing .prov file check skips plugin signature verification, enabling arbitrary code execution (CWE-636). Upgraded helm v4.1.3 → v4.1.4.
  • CVE-2026-40890 (High, CVSS 7.5) — github.com/gomarkdown/markdown: Out-of-bounds read/panic in SmartypantsRenderer on malformed < input. Bumped to patched version.