Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attackers to upload arbitrary PHP files by providing a base64-encoded payload and to execute arbitrary code on the underlying server. This issue has been fixed by a patch released in April 2026.
Metrics
Affected Vendors & Products
References
| Link | Providers |
|---|---|
| https://cert.pl/posts/2026/07/CVE-2026-6847/ |
|
History
Mon, 13 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
4real
4real themisnetpanel |
|
| Vendors & Products |
4real
4real themisnetpanel |
Mon, 13 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attackers to upload arbitrary PHP files by providing a base64-encoded payload and to execute arbitrary code on the underlying server. This issue has been fixed by a patch released in April 2026. | |
| Title | Unauthenticated Remote Code Execution in ThemisNETPanel | |
| Weaknesses | CWE-306 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: CERT-PL
Published: 2026-07-13T13:26:20.946Z
Updated: 2026-07-13T13:26:20.946Z
Reserved: 2026-04-22T08:08:03.689Z
Link: CVE-2026-6847
No data.
No data.
No data.