PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-30007 hestiacp CVE debrief

CVE-2025-30007 HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability. Low-privilege authenticated users can execute arbitrary root commands by injecting a single-quote character into unvalidated DNS record types. The vulnerability arises from insufficient input validation in is_dns_record_format_valid() and unsafe eval-based parsing in update_domain_zone().

Vendor
hestiacp
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

System administrators and security teams responsible for HestiaCP installations, especially those with low-privilege user accounts, should prioritize patching to version 1.9.5 or later.

Technical summary

The CVE-2025-30007 vulnerability in HestiaCP allows low-privilege authenticated users to execute arbitrary OS commands as root. This is achieved by injecting a single-quote character into unvalidated DNS record types, which, when processed, prematurely close a variable assignment string. The vulnerability is caused by insufficient input validation in the is_dns_record_format_valid() function and unsafe eval-based parsing in the update_domain_zone() function. Successful exploitation requires user interaction, as the attacker must be authenticated, albeit with low privileges.

Defensive priority

High

Recommended defensive actions

  • Apply the patch: Upgrade HestiaCP to version 1.9.5 or later.
  • Restrict access: Limit access to DNS record management features to only necessary personnel.
  • Monitor activity: Regularly review logs for suspicious DNS record creation attempts.
  • Inventory check: Verify all HestiaCP installations and their current versions.
  • Exception tracking: Implement a process to track and address any exceptions related to DNS record management.

Evidence notes

The CVE record was published on 2026-07-10T19:17:18.130Z and was last modified on 2026-07-10T19:21:09.530Z. The NVD entry is currently Undergoing Analysis. The vulnerability was disclosed by Vulncheck, and multiple references are provided, including GitHub commits, a pull request, and a release tag.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:18.130Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.