PatchSiren cyber security CVE debrief
CVE-2025-30007 hestiacp CVE debrief
CVE-2025-30007 HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability. Low-privilege authenticated users can execute arbitrary root commands by injecting a single-quote character into unvalidated DNS record types. The vulnerability arises from insufficient input validation in is_dns_record_format_valid() and unsafe eval-based parsing in update_domain_zone().
- Vendor
- hestiacp
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
System administrators and security teams responsible for HestiaCP installations, especially those with low-privilege user accounts, should prioritize patching to version 1.9.5 or later.
Technical summary
The CVE-2025-30007 vulnerability in HestiaCP allows low-privilege authenticated users to execute arbitrary OS commands as root. This is achieved by injecting a single-quote character into unvalidated DNS record types, which, when processed, prematurely close a variable assignment string. The vulnerability is caused by insufficient input validation in the is_dns_record_format_valid() function and unsafe eval-based parsing in the update_domain_zone() function. Successful exploitation requires user interaction, as the attacker must be authenticated, albeit with low privileges.
Defensive priority
High
Recommended defensive actions
- Apply the patch: Upgrade HestiaCP to version 1.9.5 or later.
- Restrict access: Limit access to DNS record management features to only necessary personnel.
- Monitor activity: Regularly review logs for suspicious DNS record creation attempts.
- Inventory check: Verify all HestiaCP installations and their current versions.
- Exception tracking: Implement a process to track and address any exceptions related to DNS record management.
Evidence notes
The CVE record was published on 2026-07-10T19:17:18.130Z and was last modified on 2026-07-10T19:21:09.530Z. The NVD entry is currently Undergoing Analysis. The vulnerability was disclosed by Vulncheck, and multiple references are provided, including GitHub commits, a pull request, and a release tag.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:18.130Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.