Nginxproxymanager CVEs and Security Vulnerabilities

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (5 CVEs found)

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-40519	1 Nginxproxymanager	1 Nginx Proxy Manager	2026-06-08	7.5 High
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
CVE-2025-50579	2 Jc21, Nginxproxymanager	2 Nginx Proxy Manager, Nginx Proxy Manager	2025-09-24	5.3 Medium
A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. This misconfiguration enables attackers to intercept tokens using a simple browser script and exfiltrate them to a remote attacker-controlled server, potentially leading to unauthorized actions within the application.
CVE-2024-46256	2 Jc21, Nginxproxymanager	2 Nginx Proxy Manager, Nginx Proxy Manager	2025-06-03	9.8 Critical
A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate.
CVE-2024-46257	2 Jc21, Nginxproxymanager	2 Nginx Proxy Manager, Nginx Proxy Manager	2025-06-03	6.3 Medium
A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. NOTE: this is not part of any NGINX software shipped by F5.
CVE-2022-28379	1 Nginxproxymanager	1 Nginx Proxy Manager	2024-11-21	6.8 Medium
jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion.

Page 1 of 1.