7 matches found
CVE-2024-46257
CVE-2024-46257 describes a command-injection vulnerability in NginxProxyManager 2.11.3, specifically in the requestLetsEncryptSslWithDnsChallenge path, enabling remote code execution when adding a Let’s Encrypt certificate. Multiple connected sources corroborate that the flaw allows RCE and perta...
CVE-2024-39935
CVE-2024-39935 affects jc21 NGINX Proxy Manager before 2.11.3. The vulnerability enables an authenticated user with certificate-management privileges to execute OS commands via untrusted input to the DNS provider configuration in the backend/internal/certificate.js, with potential for full impact...
CVE-2024-46256
CVE-2024-46256 affects NginxProxyManager 2.11.3 and is due to a command injection in the requestLetsEncryptSsl routine that enables remote code execution when adding a Let’s Encrypt certificate. The Red Hat/OSV/NVD entries corroborate the same vulnerability description (CVE-2024-46256) and identi...
CVE-2023-27224
CVE-2023-27224 affects NginxProxyManager v2.9.19. A vulnerability allows remote attackers to execute arbitrary code by injecting a Lua script into the configuration file, due to insufficient input/data sanitization at the management level. This is described across multiple sources, and the impact...
CVE-2019-15517
jc21 Nginx Proxy Manager
CVE-2023-23596
CVE-2023-23596 affects jc21 NGINX Proxy Manager up to version 2.9.19. The issue arises when creating an access list: the backend builds an htpasswd file using crafted username/password inputs that are concatenated without validation and directly passed to an exec command, enabling potential OS co...
CVE-2025-50579
CVE-2025-50579 affects Nginx Proxy Manager v2.12.3, where a CORS misconfiguration allows unauthorized domains to access sensitive data (JWT tokens) due to improper Origin header validation. Attack possible via a simple browser script to exfiltrate tokens to a remote server, potentially enabling u...