216.73.217.86

CVE-2026-40519

· Published 08/06/2026 20:17 · Modified 09/06/2026 13:51

Labels: CVE-2026-40519 2026-06-08CVE-2026-40519CWE-78[email protected]

Essential information

Published
08/06/2026 20:17
Modified
09/06/2026 13:51
Author
Creator
CVSS
7.7 HIGH (v3) 7.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
nginx / nginx proxy manager cpe:2.3:a:nginx:nginx_proxy_manager:2.9.14-2.15.1:*:*:*:*:*:*:*

References