CVE-2026-40519

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns provider credentials field. The user-controlled dns provider credentials value is interpolated directly into a shell command executed via child process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.