CVE-2021-47871

HIGH

Hestia Control Panel 1.3.2 - File Write

Title source: llm

Description

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.

Exploits (1)

exploitdb WORKING POC

by numan türle · textwebappsphp

https://www.exploit-db.com/exploits/49667

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/49667

[Various Sources] https://hestiacp.com/

[Various Sources] https://github.com/hestiacp/hestiacp

[Third Party Advisory] https://www.vulncheck.com/advisories/hestia-control-panel-arbitrary-file-write

Scores

CVSS v3 8.8

EPSS 0.0006

EPSS Percentile 18.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-73

Status published

Products (1)

Hestia Control Panel/Hestia Control Panel 1.3.3

Published Jan 21, 2026

Tracked Since Feb 18, 2026