CVE-2026-40519
published 2026-06-08CVE-2026-40519: Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command…
PriorityP258high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
EPSS
0.92%
55.8th percentile
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nginxproxymanager | nginx-proxy-manager | 2.9.14 – 2.15.1 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function
ghsa_unreviewed·2026-06-08
CVE-2026-40519 [HIGH] CWE-78 Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
VulDB
NginxProxyManager nginx-proxy-manager up to 2.15.1 backend/setup.js setupCertbotPlugins dns_provider_credentials os command injection (EUVD-2026-35196)
vuldb·2026-06-08·CVSS 7.5
CVE-2026-40519 [HIGH] NginxProxyManager nginx-proxy-manager up to 2.15.1 backend/setup.js setupCertbotPlugins dns_provider_credentials os command injection (EUVD-2026-35196)
A vulnerability has been found in NginxProxyManager nginx-proxy-manager up to 2.15.1 and classified as critical. This vulnerability affects the function setupCertbotPlugins of the file backend/setup.js. This manipulation of the argument dns_provider_credentials causes os command injection.
This vulnerability is registered as CVE-2026-40519. Remote exploitation of the attack is possible. No exploit is available.
It is recommended to apply a patch to fix this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published