vestacp 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は パス処理の欠陥、vendor risk csrf, and vendor risk input validation に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で ファイル上書き and vendor impact unexpected behavior などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2020-36948 | VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions. | [email protected] | 8.7 | 0.56% | 2026-01-27 | 2026-06-16 |
| CVE-2021-47873 | VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. | [email protected] | 5.1 | 0.19% | 2026-01-21 | 2026-06-17 |
| CVE-2018-25117 | VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a multi-stage DDoS bot that uses Lua for second- and third-stage components. The compromise leaked administrative credentials (base64-encoded admin password and server domain) to an external URL during installation and/or r | [email protected] | 9.3 | 0.40% | 2025-10-14 | 2026-06-16 |
| CVE-2022-3967 | A vulnerability, which was classified as critical, was found in Vesta Control Panel. Affected is an unknown function of the file func/main.sh of the component sed Handler. The manipulation leads to argument injection. An attack has to be approached locally. The name of the patch is 39561c32c12cabe563de48cc96eccb9e2c655e25. It is recommended to apply a patch to fix this issue. VDB-213546 is the identifier assigned to this vulnerability. | [email protected] | 5.3 | 0.22% | 2022-11-13 | 2026-06-17 |
| CVE-2021-46850 | myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint. | [email protected] | 7.2 | 5.24% | 2022-10-24 | 2026-06-17 |
| CVE-2022-36305 | Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php. | [email protected] | 6.1 | 0.43% | 2022-07-19 | 2026-06-17 |
| CVE-2022-36304 | Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the generate_response function at /web/api/v1/upload/UploadHandler.php. | [email protected] | 6.1 | 0.43% | 2022-07-19 | 2026-06-17 |
| CVE-2022-36303 | Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the handle_file_upload function at /web/api/v1/upload/UploadHandler.php. | [email protected] | 6.1 | 0.43% | 2022-07-19 | 2026-06-17 |
| CVE-2022-34025 | Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the post function at /web/api/v1/upload/UploadHandler.php. | [email protected] | 6.1 | 0.43% | 2022-07-19 | 2026-06-17 |
| CVE-2021-43693 | vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php. | [email protected] | 9.8 | 1.21% | 2021-11-29 | 2026-06-17 |
| CVE-2021-30463 | VestaCP through 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions. After reading the RKEY value from user.conf under the /usr/local/vesta/data/users/admin directory, the admin password can be changed via a /reset/?action=confirm&user=admin&code= URI. This occurs because chmod is used unsafely. | [email protected] | 7.8 | 0.50% | 2021-04-08 | 2026-06-16 |
| CVE-2021-30462 | VestaCP through 0.9.8-24 allows the admin user to escalate privileges to root because the Sudo configuration does not require a password to run /usr/local/vesta/bin scripts. | [email protected] | 7.2 | 1.80% | 2021-04-08 | 2026-06-16 |
| CVE-2021-28379 | web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin. | [email protected] | 8.8 | 6.03% | 2021-03-15 | 2026-06-16 |
| CVE-2020-10787 | An elevation of privilege in Vesta Control Panel through 0.9.8-26 allows an attacker to gain root system access from the admin account via v-change-user-password (aka the user password change script). | [email protected] | 8.8 | 2.50% | 2020-04-21 | 2026-06-16 |
| CVE-2020-10786 | A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs. | [email protected] | 8.8 | 4.84% | 2020-04-21 | 2026-06-16 |
| CVE-2020-10966 | In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name. | [email protected] | 6.5 | 1.85% | 2020-03-25 | 2026-06-16 |
| CVE-2020-10808 | Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters. | [email protected] | 8.8 | 77.26% | 2020-03-22 | 2026-06-16 |
| CVE-2019-9859 | Vesta Control Panel (VestaCP) 0.9.7 through 0.9.8-23 is vulnerable to an authenticated command execution that can result in remote root access on the server. The platform works with PHP as the frontend language and uses shell scripts to execute system actions. PHP executes shell script through the dangerous command exec. This function can be dangerous if arguments passed to it are not filtered. Every user input in VestaCP that is used as an argument is filtered with the escapeshellarg function. | [email protected] | 8.8 | 3.00% | 2020-03-10 | 2026-06-16 |
| CVE-2019-12792 | A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root. | [email protected] | 8.8 | 4.86% | 2019-08-15 | 2026-06-16 |
| CVE-2019-12791 | A directory traversal vulnerability in the v-list-user script in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root via the password reset form. | [email protected] | 8.8 | 6.50% | 2019-08-15 | 2026-06-16 |