Filtered by vendor Hestiacp Subscriptions
Filtered by product Hestiacp Subscriptions
Total 9 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-30007 1 Hestiacp 1 Hestiacp 2026-07-13 8.8 High
HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in is_dns_record_format_valid() combined with unsafe eval-based parsing in update_domain_zone() to prematurely close a variable assignment string and achieve full root code execution on the underlying host in a single DNS record creation step.
CVE-2025-30008 1 Hestiacp 1 Hestiacp 2026-07-10 4.6 Medium
HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.
CVE-2026-12196 1 Hestiacp 1 Hestiacp 2026-07-06 N/A
HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlying webserver.
CVE-2026-43634 1 Hestiacp 1 Hestiacp 2026-05-19 7.5 High
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
CVE-2026-43633 1 Hestiacp 1 Hestiacp 2026-05-19 10 Critical
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
CVE-2023-5084 1 Hestiacp 1 Hestiacp 2024-12-03 3.9 Low
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.
CVE-2023-4517 1 Hestiacp 1 Hestiacp 2024-11-21 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6.
CVE-2023-3479 1 Hestiacp 2 Control Panel, Hestiacp 2024-11-21 6.1 Medium
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.
CVE-2021-30070 1 Hestiacp 1 Hestiacp 2024-11-21 7.5 High
An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.