CVE-2021-47871 HIGH

CVE-2021-47871: Hestia Control Panel 1.3.2 - Arbitrary File Write

Vendor Hestia Control Panel
Product Hestia Control Panel
Weakness CWE-73
Published January 21, 2026
Last update March 5, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
March 5, 2026 Record updated