Vesta Control Panel
Products
2- 12 CVEs
- 1 CVE
Recent CVEs
12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-48703 | Cri | 0.78 | 9.0 | 1.00 | KEV | Sep 19, 2025 | CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. | |
| CVE-2023-42121 | Cri | 0.64 | 9.8 | 0.01 | May 3, 2024 | Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw… | ||
| CVE-2020-10786 | Hig | 0.58 | 8.8 | 0.05 | Apr 21, 2020 | A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs. | ||
| CVE-2019-12792 | Hig | 0.58 | 8.8 | 0.05 | Aug 15, 2019 | A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root. | ||
| CVE-2019-12791 | Hig | 0.58 | 8.8 | 0.07 | Aug 15, 2019 | A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form. | ||
| CVE-2023-42123 | Hig | 0.57 | 8.8 | 0.02 | May 3, 2024 | Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific… | ||
| CVE-2023-42120 | Hig | 0.57 | 8.8 | 0.02 | May 3, 2024 | Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific… | ||
| CVE-2020-10787 | Hig | 0.57 | 8.8 | 0.03 | Apr 21, 2020 | An elevation of privilege in Vesta Control Panel through 0.9.8-26 allows an attacker to gain root system access from the admin account via v-change-user-password (aka the user password change script). | ||
| CVE-2023-42122 | Hig | 0.51 | 7.8 | 0.01 | May 3, 2024 | Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the… | ||
| CVE-2018-18547 | Med | 0.40 | 6.1 | 0.01 | Oct 24, 2018 | Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI. | ||
| CVE-2020-10808 | Hig | 0.09 | 8.8 | 0.77 | Mar 22, 2020 | Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring… | ||
| CVE-2019-9841 | Med | 0.00 | 6.1 | 0.01 | Apr 19, 2019 | Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL. |
- risk 0.78cvss 9.0epss 1.00
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
- risk 0.64cvss 9.8epss 0.01
Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw…
- risk 0.58cvss 8.8epss 0.05
A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs.
- risk 0.58cvss 8.8epss 0.05
A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root.
- risk 0.58cvss 8.8epss 0.07
A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form.
- risk 0.57cvss 8.8epss 0.02
Control Web Panel mysql_manager Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…
- risk 0.57cvss 8.8epss 0.02
Control Web Panel dns_zone_editor Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is required to exploit this vulnerability. The specific…
- risk 0.57cvss 8.8epss 0.03
An elevation of privilege in Vesta Control Panel through 0.9.8-26 allows an attacker to gain root system access from the admin account via v-change-user-password (aka the user password change script).
- risk 0.51cvss 7.8epss 0.01
Control Web Panel wloggui Command Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Control Web Panel. An attacker must first obtain the ability to execute low-privileged code on the…
- risk 0.40cvss 6.1epss 0.01
Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI.
- risk 0.09cvss 8.8epss 0.77
Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring…
- risk 0.00cvss 6.1epss 0.01
Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL.