What is the CVSS score of CVE-2024-22198?

CVE-2024-22198 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 16.0%.

Which versions of Nginx Ui are affected by CVE-2024-22198?

Organizations using Nginx-UI face moderate risk from CVE-2024-22198, a command injection vulnerability rated CVSS 7.1.. A patch is available.

Is there a public PoC exploit available for CVE-2024-22198?

Yes, a public proof-of-concept exploit is available for CVE-2024-22198. Prioritise patching immediately. EPSS: 16.0%.

How to fix or mitigate CVE-2024-22198?

Within 30 days: Identify all affected systems and apply vendor patches as part of regular patch cycle. Validate that input sanitization is in place for all user-controlled parameters.

Nginx Ui CVE-2024-22198

HIGH

Command Injection (CWE-77)

2024-01-11 security-advisories@github.com

Privilege Escalation Command Injection Information Disclosure Nginx RCE Nginx Ui

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:34 vuln.today

Patch released

Mar 28, 2026 - 19:34 nvd

Patch available

PoC Detected

Nov 21, 2024 - 08:55 vuln.today

Public exploit code

CVE Published

Jan 11, 2024 - 20:15 nvd

HIGH 7.1

DescriptionGitHub Advisory

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home > Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn't allow users to modify the Terminal Start Command setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.

AnalysisAI

Nginx-UI is a web interface to manage Nginx configurations. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 16.0%.

Technical ContextAI

This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home > Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn't allow users to modify the Terminal Start Command setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9. Affected products include: Nginxui Nginx Ui. Version information: version 2.0.0..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.

CVE-2024-22198 vulnerability details – vuln.today

Back

Nginx Ui CVE-2024-22198

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code