CVE Catalog

CVE-2026-40519

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

45th percentile - higher than 45% of all known CVEs

Summary

Nginx Proxy Manager versions 2.9.14 through 2.15.1 contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function. This allows attackers with certificates:manage permission to execute arbitrary commands.

Risk Assessment

This vulnerability could lead to serious security breaches, allowing attackers to remotely execute code on the server, potentially resulting in data loss or system takeover.

Recommendation

It is recommended to update Nginx Proxy Manager to a version where the vulnerability has been fixed and to review user permissions to limit access to certificate management functions.

Original NVD description (English source)

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS