CVE-2021-47873

HIGH 7.2

VestaCP < 0.9.8-25 - Stored Cross-Site Scripting

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

0th

VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload.

CWE	CWE-79
Vendor	vestacp
Product	vestacp
Published	Jan 21, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for vestacp vestacp

Be the first to know when new high vulnerabilities affecting vestacp vestacp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

VestaCP / VestaCP

0.9.8 ≤ 0.9.8-25

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/49662 vestacp.com: https://vestacp.com myvestacp.com: https://myvestacp.com vulncheck.com: https://www.vulncheck.com/advisories/vestacp-stored-cross-site-scripting

Credits

Numan Türle