Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
AnalysisAI
Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.
Technical ContextAI
Nginx Proxy Manager is a Node.js-based web UI that wraps nginx and Let's Encrypt/certbot to manage reverse proxies and TLS certificates. The vulnerability is a textbook CWE-78 (OS Command Injection): the setupCertbotPlugins() routine in backend/setup.js built a shell command by string-interpolating the certificate's dns_provider_credentials field into a [ -f ... ] || { ... echo '${escapedCredentials}' > ... } template and passing it to utils.exec() (child_process.exec). The original code only escaped single quotes and backslashes, which is insufficient against shell metacharacters such as $( ), backticks, and newlines. The fix (PR #5498 / commit a5db5ed) eliminates the shell entirely by replacing the exec call with fs.mkdir + fs.writeFile, writing the credentials file via the Node filesystem API with mode 0o600 and the wx flag.
RemediationAI
Upgrade to a Nginx Proxy Manager release that includes commit a5db5ed (the fix that replaces the shell-based credentials write in backend/setup.js with fs.writeFile); the supplied data confirms an upstream patch is available but does not name a released tagged version, so verify by checking that backend/setup.js no longer invokes utils.exec on dns_provider_credentials. Until upgraded, restrict the certificates:manage permission to the smallest possible set of fully trusted administrators, audit existing certificate records for suspicious content in the dns_provider_credentials field (look for shell metacharacters such as $(, backticks, newlines, or pipe characters), and avoid restarting the backend after granting that permission to a new user - note the trade-off that delaying restarts also delays legitimate certificate provisioning. Refer to the vendor PR (https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5498) and VulnCheck advisory (https://www.vulncheck.com/advisories/nginx-proxy-manager-authenticated-rce-via-setupcertbotplugins) for full details.
More in Nginx Proxy Manager
View allA Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add
An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the config
jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. Rated high severity (CVSS 8.8), this vulnerability
A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacke
jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated u
jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion. Rated medium severity (CVSS 4.8), this vulne
jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal. Rated medium severity (CVSS 5.5), this vuln
A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularl
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35196