CVE-2026-6847 PUBLISHED

Unauthenticated Remote Code Execution in ThemisNETPanel

Assigner: CERT-PL
Reserved: 22.04.2026 Published: 13.07.2026 Updated: 13.07.2026

Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attackers to upload arbitrary PHP files by providing a base64-encoded payload and to execute arbitrary code on the underlying server. This issue has been fixed by a patch released in April 2026.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
CVSS Score: 9.3

Product Status

Vendor 4real
Product ThemisNETPanel
Versions Default: unaffected
  • affected from 0 to 04.2026 (excl.)

Credits

  • Kamil Szczurowski finder
  • Robert Kruczek finder

References

Problem Types

  • CWE-306 Missing Authentication for Critical Function CWE