*) Security: a buffer overflow might occur while handling a COPY or

request in a location with "alias", allowing an attacker to

   the source or destination path outside of the document root
   (CVE-2026-27654).
   Thanks to Calif.io in collaboration with Claude and Anthropic
   Research.

*) Security: processing of a specially crafted mp4 file by the
   ngx_http_mp4_module on 32-bit platforms might cause a worker

   crash, or might have potential other impact (CVE-2026-27784).
   Thanks to Prabhav Srinath (sprabhav7).

*) Security: processing of a specially crafted mp4 file by the
   ngx_http_mp4_module might cause a worker process crash, or might

   potential other impact (CVE-2026-32647).
   Thanks to Xint Code and Pavel Kohout (Aisle Research).

*) Security: a segmentation fault might occur in a worker process if

CRAM-MD5 or APOP authentication methods were used and

   retry was enabled (CVE-2026-27651).
   Thanks to Arkadi Vainbrand.

*) Security: an attacker might use PTR DNS records to inject data in
   auth_http requests, as well as in the XCLIENT command in the

SMTP connection (CVE-2026-28753).
Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu

   University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou
   University).

*) Security: SSL handshake might succeed despite OCSP rejecting a

   certificate in the stream module (CVE-2026-28755).
   Thanks to Mufeed VH of Winfunc Research.

*) Change: now nginx limits the size and rate of QUIC stateless

   packets.

*) Bugfix: receiving a QUIC packet by a wrong worker process could

   the connection to terminate.

*) Bugfix: in the ngx_http_mp4_module.
   Thanks to Andrew Lacambra.