PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-30008 hestiacp CVE debrief

CVE-2025-30008 is a stored cross-site scripting vulnerability in HestiaCP before 1.9.5. The vulnerability allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators. This issue requires immediate attention from administrators and users of affected versions.

Vendor
hestiacp
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of HestiaCP versions before 1.9.5 should be aware of this vulnerability and take necessary actions to mitigate it. This includes updating to version 1.9.5 or later, restricting access to the DNS record management interface, and implementing additional security measures such as input validation and output encoding.

Technical summary

The vulnerability exists in the DNS record management interface of HestiaCP before 1.9.5. An authenticated low-privilege user can inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators. This issue allows for stored cross-site scripting (XSS) attacks.

Defensive priority

Medium

Recommended defensive actions

  • Update HestiaCP to version 1.9.5 or later
  • Restrict access to the DNS record management interface to authorized users only
  • Implement additional security measures, such as input validation and output encoding, to prevent similar vulnerabilities
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability was reported by Vulncheck and is publicly disclosed. The CVE record was published on 2026-07-10T19:17:19.243Z and last modified on 2026-07-10T21:16:53.010Z. Evidence is based on CVE and NVD details. Defenders should verify HestiaCP versions, review DNS record management, and assess user exposure.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:19.243Z and has not been modified since then.