VYPR
Vendor

Vestacp

Products
2
CVEs
21
Across products
21
Status
Private

Products

2

Recent CVEs

21
View all 21 CVEs →
  • CVE-2020-36948CriJan 27, 2026
    risk 0.64cvss 9.8epss 0.01

    VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper…

  • CVE-2015-4117HigFeb 28, 2018
    risk 0.61cvss 8.8epss 0.11

    Vesta Control Panel before 0.9.8-14 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the backup parameter to list/backup/index.php.

  • CVE-2018-25117CriOct 15, 2025
    risk 0.53cvss epss 0.00

    VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a…

  • CVE-2021-47873HigJan 21, 2026
    risk 0.47cvss 7.2epss 0.00

    VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a…

  • CVE-2018-10686MedMay 6, 2018
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $_REQUEST['path'] to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a file_put_contents call in web/upload/UploadHandler.php.

  • CVE-2020-10808Mar 22, 2020
    risk 0.09cvss epss 0.77

    Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring…

  • CVE-2019-12792Aug 15, 2019
    risk 0.01cvss epss 0.05

    A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root.

  • CVE-2022-3967Nov 13, 2022
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as critical, was found in Vesta Control Panel. Affected is an unknown function of the file func/main.sh of the component sed Handler. The manipulation leads to argument injection. An attack has to be approached locally. The name of the patch…

  • CVE-2021-46850Oct 24, 2022
    risk 0.00cvss epss 0.05

    myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the…

  • CVE-2022-36305Jul 19, 2022
    risk 0.00cvss epss 0.00

    Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php.

  • CVE-2021-30462Apr 8, 2021
    risk 0.00cvss epss 0.02

    VestaCP through 0.9.8-24 allows the admin user to escalate privileges to root because the Sudo configuration does not require a password to run /usr/local/vesta/bin scripts.

  • CVE-2021-30463Apr 8, 2021
    risk 0.00cvss epss 0.01

    VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a…

  • CVE-2020-10787Apr 21, 2020
    risk 0.00cvss epss 0.03

    An elevation of privilege in Vesta Control Panel through 0.9.8-26 allows an attacker to gain root system access from the admin account via v-change-user-password (aka the user password change script).

  • CVE-2020-10786Apr 21, 2020
    risk 0.00cvss epss 0.05

    A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs.

  • CVE-2020-10966Mar 25, 2020
    risk 0.00cvss epss 0.02

    In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.

  • CVE-2019-9859Mar 10, 2020
    risk 0.00cvss epss 0.03

    Vesta Control Panel (VestaCP) 0.9.7 through 0.9.8-23 is vulnerable to an authenticated command execution that can result in remote root access on the server. The platform works with PHP as the frontend language and uses shell scripts to execute system actions. PHP executes shell…

  • CVE-2019-12791Aug 15, 2019
    risk 0.00cvss epss 0.07

    A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form.

  • CVE-2019-9841Apr 19, 2019
    risk 0.00cvss epss 0.01

    Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL.

  • CVE-2018-1000884Dec 20, 2018
    risk 0.00cvss epss 0.01

    Vesta CP version Prior to commit f6f6f9cfbbf2979e301956d1c6ab5c44386822c0 -- any release prior to 0.9.8-18 contains a CWE-208 / Information Exposure Through Timing Discrepancy vulnerability in Password reset code -- web/reset/index.php, line 51 that can result in Possible to…

  • CVE-2018-18547Oct 24, 2018
    risk 0.00cvss epss 0.01

    Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI.