{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-40519/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-09T14:35:09.015Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-40519","@id":"https://www.cve.org/CVERecord?id=CVE-2026-40519","description":"Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process"},"products":[{"@id":"cpe:2.3:a:nginxproxymanager:nginx-proxy-manager:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:nginxproxymanager:nginx-proxy-manager:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: a5db5ed156355e3088e7d1ceb0533d4bae922def.","timestamp":"2026-06-09T14:35:09.015Z"}]}