Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable panel with a low-privileged account (PR:L, AC:L) injecting commands run as admin, a privilege boundary crossing (S:C) yielding full host compromise (C:H/I:H/A:H).
Primary rating from Vendor (PRJBLK).
CVSS VectorVendor: PRJBLK
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
myVesta is affected by an authenticated remote code execution vulnerability. Low privileged users can insert arbitrary commands as a part of the v_ftp_user parameter when deleting FTP usernames. This could result in the execution of commands as the admin user or takevoer of the admin user in myVesta.
AnalysisAI
Authenticated OS command injection in the myVesta hosting control panel lets a low-privileged user inject arbitrary shell commands through the v_ftp_user parameter during FTP-account deletion, escalating to full command execution as the admin user and takeover of the panel. Publicly available exploit code exists (documented by ProjectBlack/PRJBLK) and a vendor fix commit has been published, though no CISA KEV listing or EPSS data is provided. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privileged myVesta account (PR:L) and the ability to reach the panel over the network, then invoking the delete-FTP-username action while placing an OS command payload in the v_ftp_user parameter - that specific feature and parameter ARE the required condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:H with subsequent-system SC:H/SI:H/SA:H, base 8.5) is internally consistent with the description: network-reachable, low complexity, no user interaction, requires an existing low-privileged authenticated account, and yields a scope-crossing compromise of the admin user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted a low-privileged myVesta account logs in and initiates deletion of an FTP user, supplying a crafted v_ftp_user value containing shell metacharacters (for example a value that appends '; <command>'). The injected command is executed by the privileged backend as the admin user, giving the attacker admin-level command execution and full control of the hosting panel and underlying server. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the vendor fix from commit 95d7e43bf286d6881ca753dac93cb42d98cc7422 (https://github.com/myvesta/vesta/commit/95d7e43bf286d6881ca753dac93cb42d98cc7422) by updating myVesta to a build that includes it, since no discrete patched version number is published in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all myVesta instances and determine versions; assess for breach indicators. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41665
GHSA-233w-5rfj-8hmj