PT-2026-57247 · Hestiacp · Hestiacp

Djibril Mounkoro

·

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2025-30008

CVSS v3.1

4.6

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list dns rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-30008

Affected Products

Hestiacp