Hestiacp
by Hestiacp
Source repositories
CVEs (18)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-43633 | Cri | 0.58 | 10.0 | 0.01 | May 19, 2026 | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted… | ||
| CVE-2021-47871 | Hig | 0.57 | 8.8 | 0.00 | Jan 21, 2026 | Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific… | ||
| CVE-2026-43634 | Hig | 0.42 | 7.5 | 0.00 | May 19, 2026 | HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated… | ||
| CVE-2022-2550 | 0.04 | — | 0.47 | Jul 27, 2022 | OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5. | |||
| CVE-2023-5839 | 0.00 | — | 0.00 | Oct 29, 2023 | Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9. | |||
| CVE-2023-4517 | 0.00 | — | 0.00 | Oct 13, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6. | |||
| CVE-2023-5084 | 0.00 | — | 0.00 | Sep 20, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8. | |||
| CVE-2023-3479 | 0.00 | — | 0.01 | Jun 30, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8. | |||
| CVE-2021-30071 | 0.00 | — | 0.01 | Aug 18, 2022 | A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2021-30070 | 0.00 | — | 0.01 | Aug 18, 2022 | An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager. | |||
| CVE-2022-2636 | 0.00 | — | 0.01 | Aug 5, 2022 | Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6. | |||
| CVE-2022-2626 | 0.00 | — | 0.01 | Aug 5, 2022 | Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6. | |||
| CVE-2022-1509 | 0.00 | — | 0.04 | Apr 28, 2022 | Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context. | |||
| CVE-2022-0986 | 0.00 | — | 0.01 | Mar 16, 2022 | Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11. | |||
| CVE-2022-0752 | 0.00 | — | 0.01 | Mar 4, 2022 | Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9. | |||
| CVE-2022-0838 | 0.00 | — | 0.01 | Mar 4, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10. | |||
| CVE-2022-0753 | 0.00 | — | 0.01 | Mar 3, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9. | |||
| CVE-2021-3797 | 0.00 | — | 0.01 | Sep 15, 2021 | hestiacp is vulnerable to Use of Wrong Operator in String Comparison |
- risk 0.58cvss 10.0epss 0.01
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted…
- risk 0.57cvss 8.8epss 0.00
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific…
- risk 0.42cvss 7.5epss 0.00
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated…
- CVE-2022-2550Jul 27, 2022risk 0.04cvss —epss 0.47
OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.
- CVE-2023-5839Oct 29, 2023risk 0.00cvss —epss 0.00
Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.
- CVE-2023-4517Oct 13, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6.
- CVE-2023-5084Sep 20, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.
- CVE-2023-3479Jun 30, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.
- CVE-2021-30071Aug 18, 2022risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2021-30070Aug 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.
- CVE-2022-2636Aug 5, 2022risk 0.00cvss —epss 0.01
Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6.
- CVE-2022-2626Aug 5, 2022risk 0.00cvss —epss 0.01
Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.
- CVE-2022-1509Apr 28, 2022risk 0.00cvss —epss 0.04
Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.
- CVE-2022-0986Mar 16, 2022risk 0.00cvss —epss 0.01
Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.
- CVE-2022-0752Mar 4, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.
- CVE-2022-0838Mar 4, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.
- CVE-2022-0753Mar 3, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.
- CVE-2021-3797Sep 15, 2021risk 0.00cvss —epss 0.01
hestiacp is vulnerable to Use of Wrong Operator in String Comparison