Skip to main content

myVesta CVE-2026-12195

| EUVDEUVD-2026-41665 HIGH
OS Command Injection (CWE-78)
2026-07-04 PRJBLK GHSA-233w-5rfj-8hmj
8.5
CVSS 4.0 · Vendor: PRJBLK
Share

Severity by source

Vendor (PRJBLK) PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Network-reachable panel with a low-privileged account (PR:L, AC:L) injecting commands run as admin, a privilege boundary crossing (S:C) yielding full host compromise (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (PRJBLK).

CVSS VectorVendor: PRJBLK

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 04, 2026 - 12:21 vuln.today

DescriptionCVE.org

myVesta is affected by an authenticated remote code execution vulnerability. Low privileged users can insert arbitrary commands as a part of the v_ftp_user parameter when deleting FTP usernames. This could result in the execution of commands as the admin user or takevoer of the admin user in myVesta.

AnalysisAI

Authenticated OS command injection in the myVesta hosting control panel lets a low-privileged user inject arbitrary shell commands through the v_ftp_user parameter during FTP-account deletion, escalating to full command execution as the admin user and takeover of the panel. Publicly available exploit code exists (documented by ProjectBlack/PRJBLK) and a vendor fix commit has been published, though no CISA KEV listing or EPSS data is provided. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged myVesta user
Delivery
Open delete FTP user action
Exploit
Inject shell payload in v_ftp_user parameter
Execution
Backend runs command as admin
Impact
Achieve admin RCE and panel takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated low-privileged myVesta account (PR:L) and the ability to reach the panel over the network, then invoking the delete-FTP-username action while placing an OS command payload in the v_ftp_user parameter - that specific feature and parameter ARE the required condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:H with subsequent-system SC:H/SI:H/SA:H, base 8.5) is internally consistent with the description: network-reachable, low complexity, no user interaction, requires an existing low-privileged authenticated account, and yields a scope-crossing compromise of the admin user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted a low-privileged myVesta account logs in and initiates deletion of an FTP user, supplying a crafted v_ftp_user value containing shell metacharacters (for example a value that appends '; <command>'). The injected command is executed by the privileged backend as the admin user, giving the attacker admin-level command execution and full control of the hosting panel and underlying server. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the vendor fix from commit 95d7e43bf286d6881ca753dac93cb42d98cc7422 (https://github.com/myvesta/vesta/commit/95d7e43bf286d6881ca753dac93cb42d98cc7422) by updating myVesta to a build that includes it, since no discrete patched version number is published in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all myVesta instances and determine versions; assess for breach indicators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy