A vulnerability has been found in NginxProxyManager nginx-proxy-manager up to 2.15.1 and classified as critical . This vulnerability affects the function setupCertbotPlugins of the file backend/setup.js . This manipulation of the argument dns_provider_credentials causes os command injection. This vulnerability is registered as CVE-2026-40519 . Remote exploitation of the attack is possible. No exploit is available. It is recommended to apply a patch to fix this issue.