๐Ÿ” CVE Alert

CVE-2025-30008

MEDIUM 4.6

HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface

CVSS Score
4.6
EPSS Score
0.2%
EPSS Percentile
8th

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.

CWE CWE-79
Vendor hestiacp
Product hestiacp
Published Jul 10, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for hestiacp hestiacp

Be the first to know when new medium vulnerabilities affecting hestiacp hestiacp are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

hestiacp / hestiacp
0 < 1.9.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/hestiacp/hestiacp/releases/tag/1.9.5 github.com: https://github.com/hestiacp/hestiacp/pull/5196 github.com: https://github.com/hestiacp/hestiacp/commit/07dda18ef0087ea981ff84d4d5757774cf2124b0 vulncheck.com: https://www.vulncheck.com/advisories/hestiacp-stored-xss-via-dns-record-management-interface

Credits

Djibril Mounkoro