{"id":"CVE-2026-40519","summary":"Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()","details":"Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.","modified":"2026-07-08T08:02:10.515544167Z","published":"2026-06-08T19:28:51.872Z","database_specific":{"cwe_ids":["CWE-78"],"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40519.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40519.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40519"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/nginx-proxy-manager-authenticated-rce-via-setupcertbotplugins"},{"type":"REPORT","url":"https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5498"},{"type":"FIX","url":"https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a5db5ed156355e3088e7d1ceb0533d4bae922def"},{"type":"PACKAGE","url":"https://github.com/NginxProxyManager/nginx-proxy-manager"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginxproxymanager/nginx-proxy-manager","events":[{"introduced":"081380c8d57a8104f724fda2ff8e949d00b8e15a"},{"fixed":"76f09db610cfcaecf6d608a8947d6f75aa028870"},{"fixed":"a5db5ed156355e3088e7d1ceb0533d4bae922def"}],"database_specific":{"extracted_events":[{"introduced":"2.9.14"},{"fixed":"2.15.1"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["v2.15.0","v2.14.0","v2.13.7","v2.13.6","v2.13.5","v2.13.4","v2.13.3","v2.13.2","v2.13.1","v2.13.0","v2.12.6","v2.12.5","v2.12.4","v2.12.3","v2.12.2","v2.12.1","v2.12.0","v2.11.3","v2.11.2","v2.11.1","v2.11.0","v2.10.4","v2.10.3","v2.10.2","v2.10.1","v2.10.0","v2.9.22","v2.9.21","v2.9.20","v2.9.19","v2.9.18","v2.9.17","v2.9.16","v2.9.15","v2.9.14"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40519.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}