HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 10 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hestiacp
Hestiacp hestiacp |
|
| Vendors & Products |
Hestiacp
Hestiacp hestiacp |
Fri, 10 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators. | |
| Title | HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-10T17:51:07.679Z
Reserved: 2025-03-13T17:27:08.113Z
Link: CVE-2025-30008
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T19:30:04Z
Weaknesses