The vulnerability is an OS command injection in the setupCertbotPlugins() function of Nginx Proxy Manager's backend/setup.js, allowing an authenticated user with certificates:manage permission to store malicious content in the dns_provider_credentials field that is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping. This flaw enables the attacker to run arbitrary commands when the backend restarts, effectively granting remote code execution on the host hosting the application; the impact is the complete compromise of confidentiality, integrity, and availability of the server.

The flaw affects versions 2.9.14 through 2.15.1 of Nginx Proxy Manager. The vendor issued a fix in commit a5db5ed156355e3088e7d1ceb0533d4bae922def; any release after that addresses the problem.

The CVSS base score is 7.7, classifying the issue as high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, indicating no publicly known active exploitation at this time. However, exploitation requires an authenticated session with certificates:manage rights, which the attacker can obtain, for example, by compromising legitimate credentials or by exploiting other authentication weaknesses. Once authenticated, the attacker can inject malicious shell commands that execute during backend restart, leading to remote code execution. Therefore, the risk is significant, especially for environments that expose the API to untrusted users.