Primary

Context

Nginx Proxy Manager Authenticated Remote Code Execution Vulnerability via OS Command Injection

Vulnerability

Patched

A remote code execution vulnerability has been identified in Nginx Proxy Manager versions 2.9.14 prior to 2.15.1. This vulnerability arises from improper handling of user-supplied data in the setupCertbotPlugins() function of backend/setup.js. Attackers with the 'certificates:manage' permission can exploit this issue by injecting malicious commands into the 'dns_provider_credentials' field. The injected commands are executed without proper sanitization or escaping, leading to arbitrary command execution on the server when the backend is restarted.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server where Nginx Proxy Manager is running.

Remediation

Users can update to Nginx Proxy Manager version 2.15.1 or later to address this vulnerability.

Added: Jun 8, 2026, 8:23 PM

Updated: Jun 8, 2026, 8:23 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

5.5

remediation

7.7

relevance

9.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

5.5

remediation

7.7

relevance

9.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nginx Proxy Manager Authenticated Remote Code Execution Vulnerability via OS Command Injection

Vulnerability

Impact

Remediation

Affected Products

Nginx Proxy Manager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating