CVE-2026-40519
HIGH EPSS 55.8%
Published Jun 8, 20262w ago · Modified Jun 17, 20261w ago
7.7 CVSS 4.0
Published Jun 8, 2026 2w ago
Last Modified Jun 17, 2026 1w ago
Description
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
55.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-78 OS Command Injection Injection
References 3
- github.com https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a5db5ed156355e3088e7d1ceb0533d4bae922def
- github.com https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5498
- vulncheck.com https://www.vulncheck.com/advisories/nginx-proxy-manager-authenticated-rce-via-setupcertbotplugins
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.