CVE-2026-40519 – Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()

CVE ID :CVE-2026-40519

Published : June 8, 2026, 8:17 p.m. | 17 minutes ago

Description :Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

Severity: 7.7 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-44541 – Fides: DOM-based XSS vulnerability in fides.js via fides_description override

CVE-2026-40215 – OpenVPN Use-After-Free Race Condition

CVE-2026-11585 – CodeAstro Student Attendance Management System createClassArms.php sql injection

CVE-2026-49141 – WACRM Authorization Bypass via Automation Engine Endpoint