Skip to main content

Nginx Proxy Manager EUVDEUVD-2026-35196

| CVE-2026-40519 HIGH
OS Command Injection (CWE-78)
2026-06-08 VulnCheck
7.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Jun 08, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jun 08, 2026 - 20:22 NVD
7.5 (HIGH) 7.7 (HIGH)
Source Code Evidence Fetched
Jun 08, 2026 - 20:21 vuln.today
Analysis Generated
Jun 08, 2026 - 20:21 vuln.today
CVE Published
Jun 08, 2026 - 19:28 nvd
HIGH 7.7

DescriptionCVE.org

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

AnalysisAI

Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.

Technical ContextAI

Nginx Proxy Manager is a Node.js-based web UI that wraps nginx and Let's Encrypt/certbot to manage reverse proxies and TLS certificates. The vulnerability is a textbook CWE-78 (OS Command Injection): the setupCertbotPlugins() routine in backend/setup.js built a shell command by string-interpolating the certificate's dns_provider_credentials field into a [ -f ... ] || { ... echo '${escapedCredentials}' > ... } template and passing it to utils.exec() (child_process.exec). The original code only escaped single quotes and backslashes, which is insufficient against shell metacharacters such as $( ), backticks, and newlines. The fix (PR #5498 / commit a5db5ed) eliminates the shell entirely by replacing the exec call with fs.mkdir + fs.writeFile, writing the credentials file via the Node filesystem API with mode 0o600 and the wx flag.

RemediationAI

Upgrade to a Nginx Proxy Manager release that includes commit a5db5ed (the fix that replaces the shell-based credentials write in backend/setup.js with fs.writeFile); the supplied data confirms an upstream patch is available but does not name a released tagged version, so verify by checking that backend/setup.js no longer invokes utils.exec on dns_provider_credentials. Until upgraded, restrict the certificates:manage permission to the smallest possible set of fully trusted administrators, audit existing certificate records for suspicious content in the dns_provider_credentials field (look for shell metacharacters such as $(, backticks, newlines, or pipe characters), and avoid restarting the backend after granting that permission to a new user - note the trade-off that delaying restarts also delays legitimate certificate provisioning. Refer to the vendor PR (https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5498) and VulnCheck advisory (https://www.vulncheck.com/advisories/nginx-proxy-manager-authenticated-rce-via-setupcertbotplugins) for full details.

Share

EUVD-2026-35196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy