CVE-2025-30008
HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface
CVSS Score
4.6
EPSS Score
0.2%
EPSS Percentile
8th
HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.
| CWE | CWE-79 |
| Vendor | hestiacp |
| Product | hestiacp |
| Published | Jul 10, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for hestiacp hestiacp
Be the first to know when new medium vulnerabilities affecting hestiacp hestiacp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
hestiacp / hestiacp
0 < 1.9.5
References
github.com: https://github.com/hestiacp/hestiacp/releases/tag/1.9.5 github.com: https://github.com/hestiacp/hestiacp/pull/5196 github.com: https://github.com/hestiacp/hestiacp/commit/07dda18ef0087ea981ff84d4d5757774cf2124b0 vulncheck.com: https://www.vulncheck.com/advisories/hestiacp-stored-xss-via-dns-record-management-interface
Credits
Djibril Mounkoro