CVE-2026-12195

HIGH

Vesta - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Title source: rule
STIX 2.1

Description

myVesta is affected by an authenticated remote code execution vulnerability. Low privileged users can insert arbitrary commands as a part of the v_ftp_user parameter when deleting FTP usernames. This could result in the execution of commands as the admin user or takevoer of the admin user in myVesta.

Scores

CVSS v4 8.5
EPSS 0.0066
EPSS Percentile 47.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-78
Status published
Products (1)
myvesta/vesta < 95d7e43bf286d6881ca753dac93cb42d98cc7422
Published Jul 04, 2026
Tracked Since Jul 04, 2026