Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Low-privilege authentication required (PR:L), admin must view DNS list (UI:R), stored XSS changes scope to victim browser (S:C); server itself has no direct C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.
AnalysisAI
Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authenticated low-privilege users to execute arbitrary JavaScript in the browsers of any panel user who views the DNS record list, including administrators. The flaw in list_dns_rec.php allows injecting a script payload via a crafted DNS record value that breaks out of the data-sort-value HTML attribute due to missing htmlspecialchars() encoding - creating a persistent, privilege-escalating attack path from tenant-level access to admin session compromise. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch (v1.9.5) is available.
Technical ContextAI
HestiaCP is an open-source PHP-based web hosting control panel. The vulnerable component, list_dns_rec.php, renders DNS record values directly into the data-sort-value HTML attribute of list elements without applying PHP's htmlspecialchars() sanitization function. CWE-79 (Improper Neutralization of Input During Web Page Generation) covers this exact root cause class: unsanitized user-controlled data inserted into an HTML attribute context allows injection of a closing quote followed by arbitrary event handlers or script tags. The stored nature of the flaw means the payload persists in the application's data layer until the record is deleted or the system is patched, increasing dwell time compared to reflected XSS. CPE cpe:2.3:a:hestiacp:hestiacp:*:*:*:*:*:*:*:* confirms all HestiaCP versions prior to 1.9.5 are in scope.
RemediationAI
Upgrade HestiaCP to version 1.9.5 or later, which resolves the missing htmlspecialchars() encoding in list_dns_rec.php. The release is available at https://github.com/hestiacp/hestiacp/releases/tag/1.9.5, with the specific code fix in commit 07dda18ef0087ea981ff84d4d5757774cf2124b0 (PR #5196). Prior to patching, the most effective compensating control is to restrict DNS record creation and modification to trusted administrator accounts only, using HestiaCP's built-in role and permission controls; this eliminates the attack surface entirely but removes self-service DNS management for tenants. A secondary control is to audit existing DNS records for anomalous values containing HTML special characters (double-quotes, angle brackets, script keywords), which can identify already-planted payloads. No workaround short of access restriction fully mitigates the flaw in unpatched versions.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210453
GHSA-w2cw-hx5v-f37r