Hestiacp
Monthly
Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authenticated low-privilege users to execute arbitrary JavaScript in the browsers of any panel user who views the DNS record list, including administrators. The flaw in list_dns_rec.php allows injecting a script payload via a crafted DNS record value that breaks out of the data-sort-value HTML attribute due to missing htmlspecialchars() encoding - creating a persistent, privilege-escalating attack path from tenant-level access to admin session compromise. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch (v1.9.5) is available.
Privilege escalation to root in the HestiaCP web hosting control panel (versions before 1.9.5) lets any low-privilege authenticated user run arbitrary OS commands as root by injecting a single-quote into an unvalidated DNS record type field. The flaw chains weak input validation in is_dns_record_format_valid() with unsafe eval-based zone parsing in update_domain_zone(), turning a routine DNS record creation into full host takeover. No public exploit is identified at time of analysis, but VulnCheck has published a detailed advisory and the vendor shipped a fix in 1.9.5.
Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. Publicly available exploit code exists and a vendor patch is available.
Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.
Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authenticated low-privilege users to execute arbitrary JavaScript in the browsers of any panel user who views the DNS record list, including administrators. The flaw in list_dns_rec.php allows injecting a script payload via a crafted DNS record value that breaks out of the data-sort-value HTML attribute due to missing htmlspecialchars() encoding - creating a persistent, privilege-escalating attack path from tenant-level access to admin session compromise. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch (v1.9.5) is available.
Privilege escalation to root in the HestiaCP web hosting control panel (versions before 1.9.5) lets any low-privilege authenticated user run arbitrary OS commands as root by injecting a single-quote into an unvalidated DNS record type field. The flaw chains weak input validation in is_dns_record_format_valid() with unsafe eval-based zone parsing in update_domain_zone(), turning a routine DNS record creation into full host takeover. No public exploit is identified at time of analysis, but VulnCheck has published a detailed advisory and the vendor shipped a fix in 1.9.5.
Authentication security bypass in HestiaCP 1.2.0 through 1.9.4 allows unauthenticated remote attackers to spoof their source IP address by injecting an arbitrary value into the CF-Connecting-IP HTTP header, which the panel trusts unconditionally without verifying the request originated from Cloudflare's network. This enables attackers to defeat fail2ban brute-force throttling, evade per-user IP allowlists, and poison authentication audit logs. Publicly available exploit code exists and a vendor patch is available.
Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.
Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.