CVE-2026-2145
Description
A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-2145 is a reflected XSS in nginxWebUI ≤4.3.7 via the nginxDir parameter in /adminPage/conf/check, allowing remote attacker-injected scripts.
Vulnerability
Overview CVE-2026-2145 describes a reflected cross-site scripting (XSS) vulnerability in cym1102's nginxWebUI up to version 4.3.7. The bug resides in the adminPage/conf/check endpoint of the Web Management Interface. The nginxDir parameter is not sanitized before being echoed back to the user, allowing an attacker to inject arbitrary HTML and JavaScript. The project maintainer has been notified via an issue report but has not yet responded [1][2][3].
Attack
Vector and Exploitation The vulnerability can be triggered remotely by an unauthenticated (or any authenticated) user sending a crafted request to the vulnerable endpoint. The issue was demonstrated by entering `` into the "nginx directory" input field and pressing "Verify File". The backend processes and returns the input without HTML encoding, causing the script to execute in the victim's browser [2][3]. The exploit is publicly available and might be used in attacks [1].
Impact
An attacker exploiting this XSS can steal session cookies, hijack user accounts, or deliver malicious content to other users of the management interface. Because nginxWebUI is used to manage Nginx configurations and clusters, compromising an administrative session could lead to broader control over the web server configuration [2][3].
Mitigation
No official patch has been released as of February 2026; the project has not responded to the issue report. Users should apply output encoding (e.g., HTML entity encoding) for the nginxDir parameter or implement Content Security Policy (CSP) headers to reduce the risk. Until a fix is available, administrators should restrict access to the web management interface to trusted networks only [2][3].
- GitHub - cym1102/nginxWebUI: Nginx Web page configuration tool. Use web pages to quickly configure Nginx. Nginx网页管理工具,使用网页来快速配置与管理nginx单机与集群
- Security Issue: There is an XSS vulnerability in the nginxWebUI configuration file validation function
- Security Issue: There is an XSS vulnerability in the nginxWebUI configuration file validation function
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/cym1102/nginxWebUI/issues/203nvdExploitThird Party Advisory
- github.com/cym1102/nginxWebUI/issues/203nvdExploitThird Party Advisory
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdPermissions RequiredVDB Entry
News mentions
0No linked articles in our index yet.