HestiacpCVEs & Vulnerabilities

17 CVEs affecting Hestiacp products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

control panel 14hestiacp 3
CVE-2023-5839HIGH

Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.

29 Oct 2023
7.8
CVSS
CVE-2023-4517MEDIUM

Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6.

13 Oct 2023
5.4
CVSS
CVE-2023-5084MEDIUM

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.

20 Sep 2023
6.1
CVSS
CVE-2023-3479MEDIUM

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.

30 Jun 2023
6.1
CVSS
CVE-2021-30071MEDIUM

A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

18 Aug 2022
6.1
CVSS
CVE-2021-30070HIGH

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

18 Aug 2022
7.5
CVSS
CVE-2022-2636HIGH

Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6.

5 Aug 2022
8.8
CVSS
CVE-2022-2626HIGH

Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.

5 Aug 2022
7.2
CVSS
CVE-2022-2550HIGH

OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.

27 Jul 2022
8.8
CVSS
CVE-2022-1509HIGH

Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.

28 Apr 2022
8.8
CVSS
CVE-2022-0986MEDIUM

Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.

16 Mar 2022
6.1
CVSS
CVE-2022-0752MEDIUM

Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.

4 Mar 2022
6.1
CVSS
CVE-2022-0838MEDIUM

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.

4 Mar 2022
6.1
CVSS
CVE-2022-0753MEDIUM

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.

3 Mar 2022
6.1
CVSS
CVE-2021-3797CRITICAL

hestiacp is vulnerable to Use of Wrong Operator in String Comparison

15 Sep 2021
9.8
CVSS
CVE-2021-27231MEDIUM

Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages.

16 Feb 2021
5.4
CVSS
CVE-2020-10966MEDIUM

In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.

26 Mar 2020
6.5
CVSS
← PrevPage 1 / 1Next →