Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attackers to upload arbitrary PHP files by providing a base64-encoded payload and to execute arbitrary code on the underlying server. This issue has been fixed by a patch released in April 2026.
History

Mon, 13 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared 4real
4real themisnetpanel
Vendors & Products 4real
4real themisnetpanel

Mon, 13 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attackers to upload arbitrary PHP files by providing a base64-encoded payload and to execute arbitrary code on the underlying server. This issue has been fixed by a patch released in April 2026.
Title Unauthenticated Remote Code Execution in ThemisNETPanel
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2026-07-13T13:26:20.946Z

Updated: 2026-07-13T13:26:20.946Z

Reserved: 2026-04-22T08:08:03.689Z

Link: CVE-2026-6847

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.