If you haven't already secured your own installation of VestaCP, please do asap.

Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.

Keep an eye out for updates here: https://forum.vestacp.com/viewforum.php?f=25

I won't post links to blog posts about how to exploit it, I'm sure you who are interested will find them soon enough.

On a personal note, I liked VestaCP, it was a nice, simple panel that had the features that I needed for my daily web hosting (personal) business....

Today, I don't need more things giving me headaches and trouble sleeping at night.