{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.9.8-26" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "0.9.8-26-43" } ] }, "events": [ { "introduced": "0" }, { "fixed": "91c592586e3adfb2433e35eb7a3d5708637b47c0" }, { "fixed": "7991753ab7c5c568768028fb77554db8ea149f17" } ], "repo": "https://github.com/myvesta/vesta", "type": "GIT" }, { "events": [ { "introduced": "0" }, { "fixed": "a4e4542a6d1351c2857b169f8621dd9a13a2e896" } ], "repo": "https://github.com/outroll/vesta", "type": "GIT" } ] } ], "details": "myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.", "id": "CVE-2021-46850", "modified": "2026-03-15T21:49:45.042079774Z", "published": "2022-10-24T14:15:50.067Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/myvesta/vesta/releases/tag/0.9.8-26-43" }, { "type": "FIX", "url": "https://github.com/serghey-rodin/vesta/commit/a4e4542a6d1351c2857b169f8621dd9a13a2e896" }, { "type": "FIX", "url": "https://github.com/myvesta/vesta/commit/7991753ab7c5c568768028fb77554db8ea149f17" }, { "type": "EVIDENCE", "url": "https://www.exploit-db.com/exploits/49674" }, { "type": "EVIDENCE", "url": "https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }