The Hacker News

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

HTTP/2 Bomb exploits HPACK and flow control; a single client can hold 32GB memory in 20 seconds, causing server outages.
SecurityWeek

‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds

The HTTP/2 Bomb exploit chains two known denial-of-service (DoS) attack techniques to knock major web servers offline.
InfoWorld

Apache or Nginx? Go with both

Choosing a Web server is not a zero-sum game, and many workloads favor a combination of the two leading names I happened to read Netcraft’s May 2014 Web server market share report the other day. We ...
Security Boulevard

Imperva Customers Protected Against CVE-2026-49975 (HTTP/2 Bomb) DoS

TL;DR: CVE-2026-49975, dubbed the “HTTP/2 Bomb,” is a critical remote Denial-of-Service (DoS) vulnerability affecting default HTTP/2 configurations of major web servers including NGINX, Apache HTTPD, ...
Ars Technica

Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web servers to push potent malware exploits on visitors. “This is ...
ZDNet

Apache's new security update for HTTP Server fixes two flaws

The Apache Software Foundation has released an update to address a critical flaw in its hugely popular web server that allows remote attackers to take control of a vulnerable system. The first Apache ...