NginxProxyManager/nginx-proxy-manager

NginxProxyManager/nginx-proxy-manager

nginxproxymanager.com

Releases91

Frequency1 month 3 days

Last Release 20 days ago

Stars33.4K

Docker container for managing Nginx proxy hosts with a simple, powerful interface

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-40519 ↗	Jun 8, 2026Monday, 8 June 2026, 20:17	7.5 HIGH	—
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
CVE-2025-50579 ↗	Aug 19, 2025Tuesday, 19 August 2025, 15:15	5.3 MEDIUM	—
A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. This misconfiguration enables attackers to intercept tokens using a simple browser script and exfiltrate them to a remote attacker-controlled server, potentially leading to unauthorized actions within the application.
CVE-2024-46256 ↗	Sep 27, 2024Friday, 27 September 2024, 18:15	9.8 CRITICAL	—
A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate.
CVE-2024-46257 ↗	Sep 27, 2024Friday, 27 September 2024, 18:15	6.3 MEDIUM	—
A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. NOTE: this is not part of any NGINX software shipped by F5.
CVE-2024-39935 ↗	Jul 4, 2024Thursday, 4 July 2024, 21:15	8.8 HIGH	—
jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS provider configuration. NOTE: this is not part of any NGINX software shipped by F5.
CVE-2023-27224 ↗	Mar 22, 2023Wednesday, 22 March 2023, 20:15	9.8 CRITICAL	—
An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the configuration file.
CVE-2023-23596 ↗	Jan 20, 2023Friday, 20 January 2023, 08:15	8.8 HIGH	—
jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system. NOTE: this is not part of any NGINX software shipped by F5.
CVE-2022-28379 ↗	Apr 3, 2022Sunday, 3 April 2022, 18:15	6.8 MEDIUM	3.5 LOW
jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion.
CVE-2019-15517 ↗	Aug 23, 2019Friday, 23 August 2019, 15:15	—	4.9 MEDIUM
jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal.