Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
Vito Prior to 3.20.3: Unsecured Access to Other Projects' Servers
CVE-2026-29789
Summary
Vito, a self-hosted server management app, had a security issue that allowed authorized users to access and manage servers they shouldn't have access to. This issue has been fixed in version 3.20.3. Update to the latest version to ensure secure access control.
Original title
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation...
Original description
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
nvd CVSS3.1
9.9
Vulnerability type
CWE-862
Missing Authorization
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026