CVE-2021-47871

HIGH

Hestia Control Panel 1.3.2 - File Write

Title source: llm

Description

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.

Exploits (1)

exploitdb WORKING POC

by numan türle · textwebappsphp

https://www.exploit-db.com/exploits/49667

View Code ZIP pw:eip

References (4)

[Various Sources] https://github.com/hestiacp/hestiacp

[Various Sources] https://hestiacp.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/hestia-control-panel-arbitrary-file-write

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/49667

Scores

CVSS v3 8.8

EPSS 0.0005

EPSS Percentile 15.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-73

Status draft

Timeline

Published Jan 21, 2026

Tracked Since Feb 18, 2026