CVE-2026-2145
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Scripting in cym1102 nginxWebUI Web Interface

Publication date: 2026-02-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2145
EUVD
EUVD-2026-5804
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cym1102 nginxwebui to 4.3.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2145 is a reflected Cross-Site Scripting (XSS) vulnerability in cym1102 nginxWebUI versions up to 4.3.7. It occurs in the Web Management Interface, specifically in the "Validate Configuration" function accessed via the /adminPage/conf/check endpoint.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the nginxDir parameter is not properly encoded or filtered before being included in the web page output. This allows an attacker to inject malicious scripts that are executed in the victim's browser."}, {'type': 'paragraph', 'content': 'An attacker with some level of authentication can exploit this remotely by injecting scripts into the nginxDir input, which can lead to client-side attacks such as stealing session cookies or hijacking accounts.'}] [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing remote attackers to execute malicious scripts in your browser session when interacting with the nginxWebUI Web Management Interface.

  • The attacker can steal session cookies, potentially leading to account hijacking.
  • Malicious scripts can be spread through the web interface, compromising data integrity and user trust.
  • Since the exploit is publicly available and the project has not provided a fix, the risk of exploitation is higher.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a script payload into the "nginxDir" parameter of the vulnerable endpoint /adminPage/conf/check in the nginxWebUI web management interface. For example, after logging into the web interface, you can input a script such as <script>alert(\'xss\')</script> into the "nginx directory" input box and submit it via the "Verify File" button. If the script executes, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided to detect this vulnerability automatically. Detection involves interacting with the web interface and observing if injected scripts are executed, indicating a reflected cross-site scripting flaw.'}] [3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing strict output encoding such as HTML encoding on all user inputs, especially the "nginxDir" parameter, to prevent script injection.'}, {'type': 'paragraph', 'content': 'Additionally, deploying a Content Security Policy (CSP) can help mitigate the risk of script execution from injected content.'}, {'type': 'paragraph', 'content': 'Since no official patch or response has been provided by the project maintainers, it is also recommended to consider using alternative products or versions not affected by this vulnerability.'}] [3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart