nginx-1.28.3 stable and nginx-1.29.7 mainline versions have been released, with fixes for buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753) and OCSP result bypass vulnerability in stream (CVE-2026-28755). Additionally, nginx-1.29.7 mainline version introduces support for Multipath TCP and upgrades the default proxy HTTP version to HTTP/1.1 with keep-alive enabled.

nginx-1.29.6 mainline version has been released, featuring sticky sessions support for upstreams.

njs-0.9.6 version has been released, featuring optional chaining, nullish coalescing assignment (??=), and logical assignment operators (||= and &&=).

nginx-1.28.2 stable and nginx-1.29.5 mainline versions have been released, with a fix for the SSL upstream injection vulnerability (CVE-2026-1642).

njs-0.9.5 version has been released, featuring native modules support for qjs engine in http and stream.