CVE-2025-30008 in HestiaCP
Summary
by MITRE • 07/10/2026
HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability exists within Hestia Control Panel version 1.9.4 and earlier, representing a critical stored cross-site scripting flaw that undermines the application's security posture. The weakness stems from insufficient input validation and output encoding mechanisms within the DNS management functionality, specifically in how the system processes and renders DNS record values. An authenticated user with low privileges can exploit this vulnerability by creating a malicious DNS record containing a double-quote character followed by arbitrary script code in the value field, effectively bypassing the application's security controls.
The technical implementation of this flaw occurs within the list_dns_rec.php file where the application fails to properly sanitize the DNS record values before incorporating them into HTML attributes. When a DNS record is displayed in the web interface, the value is rendered into a data-sort-value HTML attribute without appropriate htmlspecialchars() encoding, creating an environment where malicious scripts can execute within the context of any user's browser session who views the affected DNS record list. This stored nature of the vulnerability means that once the malicious payload is injected, it persists and affects all users who access the DNS management interface until manually removed.
The operational impact of this vulnerability extends beyond simple script execution as it provides an attacker with potential access to sensitive administrative functions and user data. Any user who views the affected DNS records, including system administrators with elevated privileges, becomes a potential victim of the stored XSS attack. This creates a significant risk for privilege escalation attacks where attackers can manipulate the application's behavior or redirect users to malicious sites while maintaining persistence within the control panel environment. The vulnerability also affects the integrity of the application's user interface and can be leveraged to perform session hijacking or data theft operations.
Organizations using HestiaCP versions prior to 1.9.5 face substantial security risks due to this vulnerability, which aligns with CWE-79 (Cross-site Scripting) and follows patterns described in the ATT&CK framework under T1059.001 (Command and Scripting Interpreter: Visual Basic). The recommended mitigation involves upgrading to version 1.9.5 or later where proper input sanitization has been implemented, ensuring that all user-provided DNS record values are properly escaped before rendering into HTML attributes. Additionally, implementing proper output encoding mechanisms in the affected PHP files and conducting regular security reviews of input handling processes will help prevent similar vulnerabilities from emerging in future releases. System administrators should also consider implementing network-level protections and monitoring for suspicious DNS record creation activities to detect potential exploitation attempts.