PT-2026-39523 · Unknown · Cyberpanel
Numan Türle
·
Published
2026-05-10
·
Updated
2026-05-10
·
CVE-2021-47949
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
CyberPanel version 2.1
Description
Authenticated attackers can read arbitrary files and execute remote code by exploiting symlink attacks. By manipulating the
completeStartingPath parameter in POST requests to the "/filemanager/controller" endpoint, attackers can create symbolic links to access sensitive data, such as database credentials. Additionally, arbitrary shell commands can be executed through the "/websites/fetchFolderDetails" endpoint.Recommendations
Upgrade to version 2.1.2.
Exploit
Fix
Link Following
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cyberpanel