Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
Published: 2026-03-06
CVSS: 9.9
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Download Exploit for CVE-2026-29789 here:
Use Tor Browser to access .onion site.
https://sonitex.com/exploit-516-cve-2026-27389/