HIGH
NginxProxyManager
CVE published 2026-06-08
CVE-2026-40519
CVE-2026-40519 is an authenticated remote code execution vulnerability in Nginx Proxy Manager versions 2.9.14 through 2.15.1. The vulnerability is caused by OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field.