Hestia Control Panel 1.3.2 - Arbitrary File Write | Advisories

Advisories

Hestia Control Panel 1.3.2 - Arbitrary File Write

severity: high
date: January 21, 2026
Affecting: Hestia Control Panel 1.3.3
CVE: CVE-2021-47871
CWE: CWE-73 External Control of File Name or Path
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-49667
Hestia Control Panel Official Homepage
Hestia Control Panel GitHub Repository
Credit: Numan Türle
Description: Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.