PatchSiren cyber security CVE debrief
CVE-2026-40519 NginxProxyManager CVE debrief
CVE-2026-40519 is an authenticated remote code execution vulnerability in Nginx Proxy Manager versions 2.9.14 through 2.15.1. The vulnerability is caused by OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field.
- Vendor
- NginxProxyManager
- Product
- nginx-proxy-manager
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of Nginx Proxy Manager versions 2.9.14 through 2.15.1 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the user-controlled dns_provider_credentials value being interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
Defensive priority
HIGH
Recommended defensive actions
- Update to a version of Nginx Proxy Manager that is not vulnerable.
- Restrict access to the certificates:manage permission.
- Monitor for suspicious activity.
Evidence notes
The CVE-2026-40519 vulnerability was reported by Vulncheck and is described in their advisory at [ref-6]. The fix for this vulnerability was committed in [ref-4] and is also described in [ref-5].
Official resources
CVE-2026-40519 was published on 2026-06-08T20:17:00.820Z and modified on 2026-06-09T13:51:18.770Z.