| CVE ID | CVE-2026-6847 |
| Publication date | 13 July 2026 |
| Vendor | 4real |
| Product | ThemisNETPanel |
| Vulnerable versions | All before 04.2026 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in 4real ThemisNETPanel software and participated in coordination of its disclosure.
The vulnerability CVE-2026-6847: Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attackers to upload arbitrary PHP files by providing a base64-encoded payload and to execute arbitrary code on the underlying server. This issue has been fixed by a patch released in April 2026.
Credits
We thank Kamil Szczurowski and Robert Kruczek for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.