CVE-2026-12195
Received Received - Intake

Authenticated Remote Code Execution in myVesta via FTP Username Deletion

Vulnerability report for CVE-2026-12195, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a

Description

myVesta is affected by an authenticated remote code execution vulnerability. Low privileged users can insert arbitrary commands as a part of the v_ftp_user parameter when deleting FTP usernames. This could result in the execution of commands as the admin user or takevoer of the admin user in myVesta.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
myvesta myvesta *
phpipam phpipam 1.8.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in myVesta allows low privileged users to execute arbitrary commands as the admin user, potentially leading to unauthorized access and control over sensitive systems.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and systems.

However, the provided context and resources do not explicitly discuss the direct impact of this vulnerability on compliance with these regulations.

Executive Summary

This vulnerability affects myVesta and is an authenticated remote code execution (RCE) issue. Low privileged users who have access can insert arbitrary commands through the v_ftp_user parameter when deleting FTP usernames. Because the input is not properly sanitized, these commands can be executed with admin privileges, potentially allowing the attacker to take over the admin user in myVesta.

Impact Analysis

The vulnerability allows low privileged users to execute arbitrary commands as the admin user. This can lead to a full takeover of the admin account in myVesta, compromising the entire system's security. An attacker could execute malicious commands, manipulate system files, or gain unauthorized control over the server.

Detection Guidance

Detection of this vulnerability involves identifying attempts where low privileged users insert arbitrary commands via the v_ftp_user parameter when deleting FTP usernames in myVesta.

Since the vulnerability is related to command injection through the FTP username deletion functionality, monitoring logs for suspicious commands or unusual shell executions triggered by FTP user deletions can help detect exploitation attempts.

No specific detection commands are provided in the available resources, but general approaches include:

  • Reviewing web server and application logs for unusual command execution patterns or errors related to FTP user deletions.
  • Using intrusion detection systems (IDS) or endpoint detection and response (EDR) tools to flag command injection patterns.
  • Employing local AI-based code review or penetration testing tools, as demonstrated by the researcher who used a local AI model to identify this vulnerability reliably.
Mitigation Strategies

The immediate mitigation step is to apply the security fix that properly escapes the FTP username before executing shell commands.

Specifically, the fix involves using the PHP function escapeshellarg() on the v_ftp_user parameter to sanitize input and prevent command injection.

Updating the myVesta installation to include this patch or the latest version containing this fix will mitigate the vulnerability.

  • Apply the patch that modifies the exec() call in web/edit/web/index.php to wrap the FTP username argument with escapeshellarg().
  • Restrict FTP user deletion permissions to trusted users only.
  • Monitor and audit FTP user deletion activities for suspicious behavior.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart