HeroDevs
Visit NES for Ingress NGINX Home Page

NES for Ingress NGINX Release Notes

Comprehensive release notes and changelog for NES for Ingress NGINX, including security patches, bug fixes, and feature updates across all supported versions.

7 Patched Vulnerabilities
VEX Statements

Ingress NGINX

1.15.3 (NES) - May 4, 2026

Container Image: registry.nes.herodevs.com/nes/ingress-nginx:v1.15.1-nes-1.15.3

Helm Chart: HeroDevs/ingress-nginx --version 0.0.5 (see Helm Charts)

Based on upstream ingress-nginx v1.15.1 Go version: 1.26.3 NGINX version: 1.27.1 (compiled from source on Alpine 3.23.3)

This release addresses CVE-2026-27135 in the nghttp2-libs Alpine package, four Go standard library advisories patched by upgrading the Go toolchain to 1.26.3, and an HTTP/2 transport vulnerability in golang.org/x/net patched by bumping that module to v0.53.0.

For upgrade instructions using the NES for Ingress NGINX Helm chart, see Helm Charts.

Alpine Packages

  • CVE-2026-27135 (High, CVSS 7.5) — nghttp2-libs: Denial-of-service via malformed HTTP/2 frames after session termination. Fixed by rebuilding the NGINX base image with nghttp2-libs 1.68.1-r0 (v2.2.9-nes.2 NGINX base respin).

Go Toolchain

  • GO-2026-4982html/template: Bypass of meta content URL escaping causes XSS. Fixed by upgrading Go 1.26.2 → 1.26.3.
  • GO-2026-4980html/template: Escaper bypass leads to XSS. Fixed by upgrading Go 1.26.2 → 1.26.3.
  • GO-2026-4971net: Panic in Dial and LookupPort when handling NUL byte on Windows. Fixed by upgrading Go 1.26.2 → 1.26.3. Not reachable in this build (controller runs on Linux only).
  • GO-2026-4918net/http and golang.org/x/net: Infinite loop in HTTP/2 transport on bad SETTINGS_MAX_FRAME_SIZE. Fixed by upgrading Go 1.26.2 → 1.26.3 and golang.org/x/net v0.52.0 → v0.53.0.

1.15.2 (NES) - April 20, 2026

Container Image: registry.nes.herodevs.com/nes/ingress-nginx:v1.15.1-nes-1.15.2

Helm Chart: HeroDevs/ingress-nginx --version 0.0.2 (see Helm Charts)

Based on upstream ingress-nginx v1.15.1 Go version: 1.26.2 NGINX version: 1.27.1 (compiled from source on Alpine 3.23.3)

This release addresses multiple high-severity CVEs across the Go toolchain and Go module dependencies.

For upgrade instructions using the NES for Ingress NGINX Helm chart, see Helm Charts.

Go Toolchain

  • CVE-2026-32282 — (Medium, CVSS 6.4) — Root.Chmod follows symlinks outside root via TOCTOU race on Linux (internal/syscall/unix). Fixed by upgrading Go 1.26.1 → 1.26.2.

Go Module Dependencies

  • CVE-2024-44337 (Medium, CVSS 5.1) — github.com/gomarkdown/markdown: Infinite loop in paragraph parser causes denial-of-service. Bumped to patched version.
  • CVE-2026-35204 (High, CVSS 8.4) — helm.sh/helm/v4: Path traversal in plugin version field allows arbitrary file write (CWE-22). Upgraded helm v4.1.3 → v4.1.4.
  • CVE-2026-35205 (High, CVSS 8.4) — helm.sh/helm/v4: Missing .prov file check skips plugin signature verification, enabling arbitrary code execution (CWE-636). Upgraded helm v4.1.3 → v4.1.4.
  • CVE-2026-40890 (High, CVSS 7.5) — github.com/gomarkdown/markdown: Out-of-bounds read/panic in SmartypantsRenderer on malformed < input. Bumped to patched version.