CVE-2026-40519
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk45th percentile - higher than 45% of all known CVEs
Summary
Nginx Proxy Manager versions 2.9.14 through 2.15.1 contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function. This allows attackers with certificates:manage permission to execute arbitrary commands.
Risk Assessment
This vulnerability could lead to serious security breaches, allowing attackers to remotely execute code on the server, potentially resulting in data loss or system takeover.
Recommendation
It is recommended to update Nginx Proxy Manager to a version where the vulnerability has been fixed and to review user permissions to limit access to certificate management functions.
Original NVD description (English source)
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

