CVE-2021-46850

HIGH EXPLOITED

myVesta Control Panel <0.9.8-26-43 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-46850 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including numan türle.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in VestaCP 0.9.8 via the 'v_sftp_licence' parameter. The PoC injects a command to exfiltrate '/etc/shadow' to a Burp Collaborator endpoint, confirming arbitrary command execution.

Description

myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.

Exploits (1)

exploitdb WORKING POC
by numan türle · textwebappsmultiple
https://www.exploit-db.com/exploits/49674

This exploit demonstrates a command injection vulnerability in VestaCP 0.9.8 via the 'v_sftp_licence' parameter. The PoC injects a command to exfiltrate '/etc/shadow' to a Burp Collaborator endpoint, confirming arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: VestaCP < 0.9.8-26-43
Auth required
Prerequisites: Valid session cookie (PHPSESSID) · Access to the admin panel
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 7.2
EPSS 0.0524
EPSS Percentile 91.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2021-06-03
CWE
CWE-88
Status published
Products (2)
vestacp/control_panel < 0.9.8-26-43
vestacp/vesta_control_panel < 0.9.8-26
Published Oct 24, 2022
Tracked Since Feb 18, 2026