Hello Mr. Smitka!
Thanks for your marvellous research and identification of this security flaw. Would you please be kind to confirm that the following is true:
Statement:
If we do not use PHP-FPM at the moment or deactivate it until the HestiaCP team offers a solution, then it should be fine.
Looks very logical be I want an answer from you.
This vulnerability is triggered only through a local access, where an user having access to the system can elevate rights and cause damages.
Statement:
So if there are no users, who have an access, then the HestiaCP panel is not vulnerable.
Again, I know that it should be fine. But I want an answer from you.
NB: I do not have any other users and user the panel all for myself.