Lucene search
+L

74 matches found

Vulnrichment
Vulnrichment
added 2026/07/10 5:51 p.m.11 views

CVE-2025-30008 HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars encoding ...

5.1CVSS6.2AI score0.00181EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/10 5:50 p.m.39 views

CVE-2025-30007 HestiaCP < 1.9.5 Authenticated OS Command Injection via DNS Record Management

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...

8.8CVSS0.02077EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/04 12:0 a.m.12 views

PT-2026-55695

Name of the Vulnerable Software and Affected Versions HestiaCP affected versions not specified Description The panel cronjob feature contains a broken access control flaw. This allows users with low privileges to modify the panel cronjob to execute HestiaCP management scripts using passwordless...

8.3CVSS6AI score0.00256EPSS
Exploits0References8
NVD
NVD
added 2026/05/19 3:16 p.m.18 views

CVE-2026-43634

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...

8.7CVSS0.00241EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/19 1:33 p.m.45 views

CVE-2026-43634 HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...

8.7CVSS0.00241EPSS
Exploits0References5
OSV
OSV
added 2026/05/19 1:33 p.m.3 views

CVE-2026-43634 HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...

8.7CVSS6.1AI score0.01072EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/05/19 1:29 p.m.8 views

CVE-2026-43633 HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP...

10CVSS6.2AI score0.01072EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/19 1:29 p.m.45 views

CVE-2026-43633 HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP...

10CVSS0.01072EPSS
Exploits0References5
CVE
CVE
added 2026/05/19 1:29 p.m.22 views

CVE-2026-43633

CVE-2026-43633 affects HestiaCP versions 1.9.0–1.9.4, where a deserialization vulnerability in the web terminal component is caused by a session format mismatch between PHP and Node.js. Unauthenticated remote attackers can trigger root‑level code execution by injecting crafted data into HTTP head...

10CVSS6.2AI score0.01072EPSS
Exploits0References5
OSV
OSV
added 2026/01/21 6:16 p.m.5 views

CVE-2021-47871

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the...

8.8CVSS5.9AI score0.00421EPSS
Exploits0References4
NVD
NVD
added 2026/01/21 6:16 p.m.10 views

CVE-2021-47871

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the...

8.8CVSS0.00421EPSS
Exploits0References4
EUVD
EUVD
added 2026/01/21 5:27 p.m.9 views

EUVD-2026-3620

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the...

8.8CVSS5.8AI score0.00421EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/01/21 5:27 p.m.4 views

CVE-2021-47871

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the...

8.8CVSS5.6AI score0.00421EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/21 5:27 p.m.5 views

CVE-2021-47871 Hestia Control Panel 1.3.2 - Arbitrary File Write

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the...

8.8CVSS5.8AI score0.00421EPSS
Exploits0References4
CVE
CVE
added 2026/01/21 5:27 p.m.16 views

CVE-2021-47871

CVE-2021-47871 affects Hestia Control Panel 1.3.2. An authenticated attacker can exploit the API endpoint index.php via the v-make-tmp-file command to perform arbitrary file writes, potentially placing SSH keys or other content at arbitrary server paths. Impact is high for confidentiality, integr...

8.8CVSS5.8AI score0.00421EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/01/21 5:27 p.m.22 views

CVE-2021-47871 Hestia Control Panel 1.3.2 - Arbitrary File Write

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the...

8.8CVSS0.00421EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/01/21 12:0 a.m.9 views

Hestia Control Panel security vulnerabilities

Hestia Control Panel is an open-source host control panel developed by Hestia. Version 1.3.2 of Hestia Control Panel contains a security vulnerability. This vulnerability stems from arbitrary file writing in the API index.php endpoint, which could allow authenticated attackers to write files...

8.8CVSS5.9AI score0.00421EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.15 views

PT-2026-3823

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the...

8.8CVSS5.8AI score0.00421EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/01/09 9:51 a.m.16 views

CVE-2020-10966

In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name...

6.5CVSS6.9AI score0.01853EPSS
Exploits1References1
Packet Storm
Packet Storm
added 2025/12/16 12:0 a.m.165 views

📄 Hestia Control Panel 1.9.3 Code Execution

Hestia Control Panel version 1.9.3 code injection proof of concept exploit written in PHP that leverages cronjobs. ============================================================================================================================================= | Title : Hestia Control Panel 1.9.3 PHP...

7.7AI score
Exploits0
Rows per page
Query Builder