My personnal CVEs Pokedex and my Preferred Way to Spend Time
LIST OF Reported CVE
CVE-2026-22809
Regular Expression Denial of Service (ReDoS) vulnerability
CVE-2026-22809
CVSS 4.4
tarteaucitron.js
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js, affecting the processing of the issuu_id parameter. Due to poorly constrained regular expressions applied to user-controlled input, an attacker could trigger excessive backtracking, leading to high CPU usage and potential service disruption. The issue has been fixed by simplifying and hardening the input validation logic.
13 janvier 2026
CVE-2026-40519
RCE via Shell Injection in DNS Credentials
CVE-2026-40519
CVSS 5
Nginx Proxy Manager
Nginx Proxy Manager is vulnerable to authenticated remote code execution due to a shell injection in setupCertbotPlugins() (backend/setup.js).
The user-controlled field dns_provider_credentials is interpolated into a shell command executed via child_process.exec() without proper escaping.
An attacker with certificates:manage permission can inject arbitrary commands, executed on backend restart (typically as root in Docker deployments).
