0Xjacky Nginx-Ui vulnerabilities
22 known vulnerabilities affecting 0xjacky/nginx-ui.
Total CVEs
22
CISA KEV
0
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL10HIGH7MEDIUM5
Vulnerabilities
Page 1 of 2
CVE-2026-33032P1CRITICALCVSS 9.8ExploitedPoC≤ 2.3.52026-03-30
CVE-2026-33032 [CRITICAL] CWE-306 CVE-2026-33032: Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the de
nvd
CVE-2026-27944P1CRITICALCVSS 9.8ExploitedPoCfixed in 2.3.32026-03-05
CVE-2026-27944 [CRITICAL] CWE-306 CVE-2026-27944: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup e
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive dat
nvd
CVE-2024-49368P2CRITICALCVSS 9.8fixed in 2.0.0-beta.362024-10-21
CVE-2024-49368 [CRITICAL] CWE-20 CVE-2024-49368: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Ngin
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.
nvd
CVE-2026-42238P2CRITICALCVSS 9.8fixed in 2.3.82026-05-04
CVE-2026-42238 [CRITICAL] CWE-94 CVE-2026-42238: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the ap
nvd
CVE-2026-42221P2CRITICALCVSS 9.8v>= 2.0.0, < 2.3.82026-05-04
CVE-2026-42221 [CRITICAL] CWE-306 CVE-2026-42221: Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow
nvd
CVE-2024-22198P2HIGHCVSS 8.8fixed in 2.0.0.beta.92024-01-11
CVE-2024-22198 [HIGH] CWE-77 CVE-2024-22198: Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command ex
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secret`, `Node Secret` and `Terminal Start Command`. While the UI doesn't allow users to modify the `Terminal Start Com
nvd
CVE-2026-44015P2CRITICALCVSS 9.9≤ 2.3.42026-05-12
CVE-2026-44015 [CRITICAL] CWE-918 CVE-2026-44015: Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated us
Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified intern
nvd
CVE-2026-33030P2CRITICALCVSS 9.9≤ 2.3.32026-03-30
CVE-2026-33030 [CRITICAL] CWE-78 CVE-2026-33030: Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI con
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints
nvd
CVE-2024-23827P2CRITICALCVSS 9.8fixed in 2.0.0.beta.122024-01-29
CVE-2024-23827 [CRITICAL] CWE-22 CVE-2024-23827: Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows ar
Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting t
nvd
CVE-2026-42222P2CRITICALCVSS 9.8v= 2.3.52026-05-04
CVE-2026-42222 [CRITICAL] CWE-284 CVE-2026-42222: Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated boot
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.
nvd
CVE-2024-22197P3HIGHCVSS 8.8fixed in v2.0.0.beta.122024-01-11
CVE-2024-22197 [HIGH] CWE-77 CVE-2024-22197: Nginx-ui is online statistics for Server Indicators Monitor CPU usage, memory usage, load average,
Nginx-ui is online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI do
nvd
CVE-2026-33031P3HIGHCVSS 8.1fixed in 2.3.42026-04-20
CVE-2026-33031 [HIGH] CWE-284 CVE-2026-33031: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was di
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and mo
nvd
CVE-2026-33026P3CRITICALCVSS 9.1fixed in 2.3.42026-03-30
CVE-2026-33026 [CRITICAL] CWE-312 CVE-2026-33026: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui back
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
nvd
CVE-2026-33028P3HIGHCVSS 7.5fixed in 2.3.42026-03-30
CVE-2026-33028 [HIGH] CWE-362 CVE-2026-33028: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui appl
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability re
nvd
CVE-2024-49366P3HIGHCVSS 7.5fixed in 2.0.0-beta.362024-10-21
CVE-2024-49366 [HIGH] CWE-22 CVE-2024-49366: Nginx UI is a web user interface for the Nginx web server. Nginx UI v2.0.0-beta.35 and earlier gets
Nginx UI is a web user interface for the Nginx web server. Nginx UI v2.0.0-beta.35 and earlier gets the value from the json field without verification, and can construct a value value in the form of `../../`. Arbitrary files can be written to the server, which may result in loss of permissions. Version 2.0.0-beta.26 fixes the issue.
nvd
CVE-2024-49367P3HIGHCVSS 7.5fixed in 2.0.0-beta.362024-10-21
CVE-2024-49367 [HIGH] CWE-862 CVE-2024-49367: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, the log p
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, the log path of nginxui is controllable. This issue can be combined with the directory traversal at `/api/configs` to read directories and file contents on the server. Version 2.0.0-beta.36 fixes the issue.
nvd
CVE-2026-34403P3HIGHCVSS 8.1fixed in 2.3.52026-04-20
CVE-2026-34403 [HIGH] CWE-1385 CVE-2026-34403: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket end
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript wi
nvd
CVE-2026-42223P3MEDIUMCVSS 6.5fixed in 2.3.82026-05-04
CVE-2026-42223 [MEDIUM] CWE-200 CVE-2026-42223: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings A
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes (via ProtectedFill i
nvd
CVE-2026-42220P3MEDIUMCVSS 6.5fixed in 2.3.82026-05-04
CVE-2026-42220 [MEDIUM] CWE-200 CVE-2026-42220: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated
nvd
CVE-2026-33027P3MEDIUMCVSS 6.5fixed in 2.3.42026-03-30
CVE-2026-33027 [MEDIUM] CWE-22 CVE-2026-33027: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui conf
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, t
nvd
1 / 2Next →