Vesta v1.0.0-5 exists to contain a cross-site scripting (XSS) vulnerability via the generate_response function at /web/api/v1/upload/UploadHandler.php.
vestacp vesta control panel 1.0.0-5