Nginx Proxy Manager
Monthly
Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.
A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the configuration file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.
A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the configuration file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.