Are you familiar? 1. HTTP/2 Smuggling 2. XXE via Office Open XML Parsers 3. SSRF via XSS in PDF Generators 4. XSS via SVG Files 5. Blind XSS 6. Web Cache Deception 7. Web Cache Poisoning 8. h2c Smuggling 9. Second Order Subdomain Takeovers 10. postMessage bugs

There was a follow-up to this released last week by Frans Rosen on Detectify Labs that looked into middleware in general and still applicable to nginx: https://labs.detectify.com/2021/02/18/middleware-middleware-...

You might find this follow up research interesting. It says gixy doesn't cover all: https://labs.detectify.com/2021/02/18/middleware-middleware-...