CVE-2026-40519
HIGHNginx Proxy Manager Authenticated RCE via setupCertbotPlugins()
Title source: cnaDescription
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
References (3)
Core 3
Core References
Issue Tracking issue-tracking
https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5498
Patch patch
https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a5db5ed156355e3088e7d1ceb0533d4bae922def
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nginx-proxy-manager-authenticated-rce-via-setupcertbotplugins
Scores
CVSS v3
7.5
EPSS
0.0092
EPSS Percentile
55.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
NginxProxyManager/nginx-proxy-manager
2.9.14 - 2.15.1
NginxProxyManager/nginx-proxy-manager
a5db5ed156355e3088e7d1ceb0533d4bae922def
Published
Jun 08, 2026
Tracked Since
Jun 09, 2026