VYPR
Vendor

Vesta Control Panel

Products
2
CVEs
12
Across products
13
Status
Private

Products

2

Recent CVEs

12
  • CVE-2025-48703CriKEVSep 19, 2025
    risk 0.78cvss 9.0epss 1.00

    CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

  • CVE-2023-42121CriMay 3, 2024
    risk 0.64cvss 9.8epss 0.01

    Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw…

  • CVE-2020-10786HigApr 21, 2020
    risk 0.58cvss 8.8epss 0.05

    A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs.

  • CVE-2019-12792HigAug 15, 2019
    risk 0.58cvss 8.8epss 0.05

    A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root.

  • CVE-2019-12791HigAug 15, 2019
    risk 0.58cvss 8.8epss 0.07

    A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form.

  • CVE-2023-42123HigMay 3, 2024
    risk 0.57cvss 8.8epss 0.02

    Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…

  • CVE-2023-42120HigMay 3, 2024
    risk 0.57cvss 8.8epss 0.02

    Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…

  • CVE-2020-10787HigApr 21, 2020
    risk 0.57cvss 8.8epss 0.03

    An elevation of privilege in Vesta Control Panel through 0.9.8-26 allows an attacker to gain root system access from the admin account via v-change-user-password (aka the user password change script).

  • CVE-2023-42122HigMay 3, 2024
    risk 0.51cvss 7.8epss 0.01

    Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the…

  • CVE-2018-18547MedOct 24, 2018
    risk 0.40cvss 6.1epss 0.01

    Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI.

  • CVE-2020-10808HigMar 22, 2020
    risk 0.09cvss 8.8epss 0.77

    Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring…

  • CVE-2019-9841MedApr 19, 2019
    risk 0.00cvss 6.1epss 0.01

    Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL.