Back to VulnFeed / CVE-2026-40519
root@hackertop:~/vulnfeed/CVE-2026-40519#
CVE-2026-40519 MEDIUM Command Injection ✓ Patched◉ PoC 公开◉ Mitigation Active Lifecycle 5/7

NginxProxyManager nginx-proxy-manager up to 2.15.1 backend/setup.js setupCertbotPlugins dns_provider_credentials os command injection

nginx-proxy-manager 26d ago Impact pending confirmation
LIFECYCLE
6.1 CVSS
Vulnerability Detail Mitigation Lifecycle CVSS Assessment
Vulnerability Description
A vulnerability was found in NginxProxyManager nginx-proxy-manager up to 2.15.1 (Firewall Software). It has been rated as critical. Affected by this issue is the function setupCertbotPlugins of the file backend/setup.js. Applying the patch a5db5ed156355e3088e7d1ceb0533d4bae922def is able to eliminate this problem.
Root Cause Analysis
The manipulation of the argument dns_provider_credentials with an unknown input leads to a unknown weakness. Using CWE to declare the problem leads to CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Impact: Impacted is confidentiality, integrity, and availability.

Countermeasure: Applying the patch a5db5ed156355e3088e7d1ceb0533d4bae922def is able to eliminate this problem.
Validation (PoC/EXP) - Looking for Contributors
No public PoC yet

Public validation traces already exist. Community contributors can extend them with richer reproduction content.

Contribute Your PoC/EXP
Log in to contribute PoC/EXP content. Log in
Back to VulnFeed
CVE-2026-40519 · CVSS 6.1 · Patched