CVE-2026-2145
Cross-Site Scripting in cym1102 nginxWebUI Web Interface
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cym1102 | nginxwebui | to 4.3.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2145 is a reflected Cross-Site Scripting (XSS) vulnerability in cym1102 nginxWebUI versions up to 4.3.7. It occurs in the Web Management Interface, specifically in the "Validate Configuration" function accessed via the /adminPage/conf/check endpoint.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the nginxDir parameter is not properly encoded or filtered before being included in the web page output. This allows an attacker to inject malicious scripts that are executed in the victim's browser."}, {'type': 'paragraph', 'content': 'An attacker with some level of authentication can exploit this remotely by injecting scripts into the nginxDir input, which can lead to client-side attacks such as stealing session cookies or hijacking accounts.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to execute malicious scripts in your browser session when interacting with the nginxWebUI Web Management Interface.
- The attacker can steal session cookies, potentially leading to account hijacking.
- Malicious scripts can be spread through the web interface, compromising data integrity and user trust.
- Since the exploit is publicly available and the project has not provided a fix, the risk of exploitation is higher.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a script payload into the "nginxDir" parameter of the vulnerable endpoint /adminPage/conf/check in the nginxWebUI web management interface. For example, after logging into the web interface, you can input a script such as <script>alert(\'xss\')</script> into the "nginx directory" input box and submit it via the "Verify File" button. If the script executes, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'There are no specific network or system commands provided to detect this vulnerability automatically. Detection involves interacting with the web interface and observing if injected scripts are executed, indicating a reflected cross-site scripting flaw.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing strict output encoding such as HTML encoding on all user inputs, especially the "nginxDir" parameter, to prevent script injection.'}, {'type': 'paragraph', 'content': 'Additionally, deploying a Content Security Policy (CSP) can help mitigate the risk of script execution from injected content.'}, {'type': 'paragraph', 'content': 'Since no official patch or response has been provided by the project maintainers, it is also recommended to consider using alternative products or versions not affected by this vulnerability.'}] [3, 2]