Plateforme
nginx
Composant
nginx
Corrigé dans
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.8
CVE-2026-2145 is a cross-site scripting (XSS) vulnerability affecting cym1102 nginxWebUI versions up to 4.3.7. This vulnerability allows remote attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The issue resides in the handling of the 'nginxDir' argument within the /adminPage/conf/check file of the Web Management Interface. A public proof-of-concept is available, indicating potential for exploitation.
Successful exploitation of CVE-2026-2145 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or modifying the content displayed on the web page. The attacker could potentially gain unauthorized access to sensitive data or compromise the entire system if the user has administrative privileges. The availability of a public proof-of-concept significantly increases the risk of exploitation, as it lowers the barrier to entry for attackers.
CVE-2026-2145 is currently rated LOW severity. A public proof-of-concept exists, indicating that exploitation is possible. The vulnerability was reported to the project early, but there has been no response. It is not currently listed on the CISA KEV catalog. Active exploitation is possible given the public PoC.
Organizations using cym1102 nginxWebUI for web management, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same nginxWebUI installation are especially vulnerable, as an attacker could potentially compromise other users' accounts.
• nginx / web:
curl -I http://your-nginx-server/adminPage/conf/check?nginxDir=<script>alert(1)</script>• nginx / web: Examine access logs for requests to /adminPage/conf/check with unusual or suspicious parameters in the nginxDir query string.
• generic web: Check for unusual JavaScript behavior or unexpected redirects on pages served by nginxWebUI.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-2145 is to upgrade to a patched version of cym1102 nginxWebUI. As of this writing, no official patch has been released by the vendor. Until a patch is available, consider implementing input validation and sanitization on the 'nginxDir' parameter to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide a layer of protection. Monitor access logs for suspicious activity related to the /adminPage/conf/check endpoint.
Mettez à jour nginxWebUI à une version ultérieure à la 4.3.7. Cela résoudra la vulnérabilité de cross-site scripting. Consultez la documentation du fournisseur pour obtenir des instructions sur la façon de procéder à la mise à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2145 is a cross-site scripting (XSS) vulnerability in cym1102 nginxWebUI versions up to 4.3.7, allowing remote attackers to inject malicious scripts.
You are affected if you are using cym1102 nginxWebUI version 4.3.7 or earlier. Check your version and upgrade as soon as a patch is available.
Upgrade to a patched version of cym1102 nginxWebUI. Until a patch is released, implement input validation and consider using a WAF.
A public proof-of-concept exists, indicating the potential for active exploitation. Monitor your systems for suspicious activity.
Check the cym1102 project's website or GitHub repository for updates and advisories. As of this writing, no official advisory has been published.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.