CVE-2025-30008
HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary
CVSS
4.6
Medio
EPSS
0.2%
p8
KEV
—
Exploit Today
2
0-100
Publicado: 10 jul 2026 · Última mod.: 14 jul 2026 · CWE-79
HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.
- github.comhttps://github.com/hestiacp/hestiacp/commit/07dda18ef0087ea981ff84d4d5757774cf2124b0
- github.comhttps://github.com/hestiacp/hestiacp/pull/5196
- github.comhttps://github.com/hestiacp/hestiacp/releases/tag/1.9.5
- www.vulncheck.comhttps://www.vulncheck.com/advisories/hestiacp-stored-xss-via-dns-record-management-interface