CVE-2026-12195 PUBLISHED

Assigner: PRJBLK
Reserved: 14.06.2026 Published: 04.07.2026 Updated: 04.07.2026

myVesta is affected by an authenticated remote code execution vulnerability. Low privileged users can insert arbitrary commands as a part of the v_ftp_user parameter when deleting FTP usernames. This could result in the execution of commands as the admin user or takevoer of the admin user in myVesta.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CVSS Score: 8.5

Product Status

Vendor myvesta
Product vesta
Versions Default: unaffected
  • affected from 0 to 95d7e43bf286d6881ca753dac93cb42d98cc7422 (excl.)

References

Problem Types

  • CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection') CWE

Impacts

  • CAPEC-88 OS Command Injection