CVE-2025-30008 in HestiaCPinformação

Sumário

de MITRE • 10/07/2026

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsável

VulnCheck

Reservar

13/03/2025

Divulgação

10/07/2026

Moderação

aceite

Entrada

VDB-377575

CPE

pronto

EPSS

0.00000

KEV

não

Atividades

muito baixo

Fontes

Do you need the next level of professionalism?

Upgrade your account now!