CVE-2026-2145
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts via the nginxDir parameter in the nginxWebUI web management interface. When exploited, it enables cross-site scripting attacks that can steal session cookies, redirect users, or perform actions on their behalf. Systems running nginxWebUI version 4.3.7 or earlier with the web interface exposed are affected.
💻 Affected Systems
- cym1102 nginxWebUI
📦 What is this software?
Nginxwebui by Cym1102
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of the nginxWebUI interface, modify nginx configurations to redirect traffic, or deploy malware to visitors of the managed websites.
Likely Case
Attackers steal session cookies from authenticated administrators, hijack their sessions, and potentially modify nginx configurations to redirect legitimate traffic or inject malicious content.
If Mitigated
With proper input validation and output encoding, the attack fails to execute malicious scripts, preventing session hijacking and configuration tampering.
🎯 Exploit Status
Exploit details are publicly available in GitHub issues. Attack requires access to the web interface but not necessarily authentication to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch exists. Monitor the GitHub repository for updates. Consider upgrading to any future version beyond 4.3.7 when available.
🔧 Temporary Workarounds
Disable Web Interface
linuxIf nginxWebUI web management interface is not required, disable it completely to eliminate the attack surface.
Stop the nginxWebUI service: systemctl stop nginxwebui
Disable automatic startup: systemctl disable nginxwebui
Restrict Access with Firewall
linuxLimit access to the nginxWebUI web interface to trusted IP addresses only.
iptables -A INPUT -p tcp --dport [nginxWebUI-port] -s [trusted-IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [nginxWebUI-port] -j DROP
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Monitor access logs for suspicious requests to /adminPage/conf/check with unusual nginxDir parameter values.
🔍 How to Verify
Check if Vulnerable:
Check the nginxWebUI version. If it's 4.3.7 or earlier and the web interface is accessible, the system is vulnerable.Check Version:
Check the nginxWebUI interface login page or configuration files for version information.Verify Fix Applied:
Verify that the web interface is either disabled, restricted, or that the version is higher than 4.3.7 when a patch becomes available.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /adminPage/conf/check with suspicious characters in the nginxDir parameter (e.g., <script>, javascript:, onerror=)
Network Indicators:
- Unexpected JavaScript execution in the nginxWebUI interface
- Outbound connections to suspicious domains from the nginxWebUI server
SIEM Query:
source="nginxwebui" AND uri="/adminPage/conf/check" AND (param="*<script>*" OR param="*javascript:*" OR param="*onerror=*")