CVE-2026-40519 | NginxProxyManager nginx-proxy-manager up to 2.15.1 backend/setup.js setupCertbotPlugins dns_provider_credentials os command injection

Inserito da Angelo Barbosa | Giu 8, 2026 | CVE

A vulnerability has been found in NginxProxyManager nginx-proxy-manager up to 2.15.1 and classified as critical. This vulnerability affects the function setupCertbotPlugins of the file backend/setup.js. This manipulation of the argument dns_provider_credentials causes os command injection.

This vulnerability is registered as CVE-2026-40519. Remote exploitation of the attack is possible. No exploit is available.

It is recommended to apply a patch to fix this issue.

CVE-2026-40519 | NginxProxyManager nginx-proxy-manager up to 2.15.1 backend/setup.js setupCertbotPlugins dns_provider_credentials os command injection

Post correlati

CVE-2024-39360 | Wavlink AC3000 M33A8.V5030.210505 nas.cgi remove_dir command injection (TALOS-2024-2054)

CVE-2025-14107 | ZSPACE Q2C NAS up to 1.1.0210050 HTTP POST Request /v2/file/safe/status zfilev2_api.SafeStatus safe_dir command injection

CVE-2024-4970 | Widget Bundle Plugin up to 2.0.0 on WordPress Setting cross site scripting

CVE-2026-44546 | djangoproject daphne up to 4.2.1 Websocket Handshake splitlines request smuggling