CVE-2021-47871 | THREATINT

Description

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.

PUBLISHED Reserved 2026-01-18 | Published 2026-01-21 | Updated 2026-01-22 | Assigner VulnCheck

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

External Control of File Name or Path

Product status

1.3.3

affected

Credits

Numan Türle finder

References

www.exploit-db.com/exploits/49667 (ExploitDB-49667) exploit

hestiacp.com/ (Hestia Control Panel Official Homepage) product

github.com/hestiacp/hestiacp (Hestia Control Panel GitHub Repository) product

www.vulncheck.com/...stia-control-panel-arbitrary-file-write (VulnCheck Advisory: Hestia Control Panel 1.3.2 - Arbitrary File Write) third-party-advisory

cve.org (CVE-2021-47871)

nvd.nist.gov (CVE-2021-47871)

Download JSON