Platform
nginx
Component
nginx
Opgelost in
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.8
CVE-2026-2145 is a cross-site scripting (XSS) vulnerability affecting cym1102 nginxWebUI versions up to 4.3.7. This vulnerability allows remote attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The issue resides in the handling of the 'nginxDir' argument within the /adminPage/conf/check file of the Web Management Interface. A public proof-of-concept is available, indicating potential for exploitation.
Successful exploitation of CVE-2026-2145 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or modifying the content displayed on the web page. The attacker could potentially gain unauthorized access to sensitive data or compromise the entire system if the user has administrative privileges. The availability of a public proof-of-concept significantly increases the risk of exploitation, as it lowers the barrier to entry for attackers.
CVE-2026-2145 is currently rated LOW severity. A public proof-of-concept exists, indicating that exploitation is possible. The vulnerability was reported to the project early, but there has been no response. It is not currently listed on the CISA KEV catalog. Active exploitation is possible given the public PoC.
Organizations using cym1102 nginxWebUI for web management, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same nginxWebUI installation are especially vulnerable, as an attacker could potentially compromise other users' accounts.
• nginx / web:
curl -I http://your-nginx-server/adminPage/conf/check?nginxDir=<script>alert(1)</script>• nginx / web: Examine access logs for requests to /adminPage/conf/check with unusual or suspicious parameters in the nginxDir query string.
• generic web: Check for unusual JavaScript behavior or unexpected redirects on pages served by nginxWebUI.
disclosure
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-2145 is to upgrade to a patched version of cym1102 nginxWebUI. As of this writing, no official patch has been released by the vendor. Until a patch is available, consider implementing input validation and sanitization on the 'nginxDir' parameter to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide a layer of protection. Monitor access logs for suspicious activity related to the /adminPage/conf/check endpoint.
Werk nginxWebUI bij naar een versie hoger dan 4.3.7. Dit zal de cross-site scripting kwetsbaarheid oplossen. Raadpleeg de documentatie van de leverancier voor instructies over hoe u kunt updaten.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-2145 is a cross-site scripting (XSS) vulnerability in cym1102 nginxWebUI versions up to 4.3.7, allowing remote attackers to inject malicious scripts.
You are affected if you are using cym1102 nginxWebUI version 4.3.7 or earlier. Check your version and upgrade as soon as a patch is available.
Upgrade to a patched version of cym1102 nginxWebUI. Until a patch is released, implement input validation and consider using a WAF.
A public proof-of-concept exists, indicating the potential for active exploitation. Monitor your systems for suspicious activity.
Check the cym1102 project's website or GitHub repository for updates and advisories. As of this writing, no official advisory has been published.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.