VYPR
Vendor

Hestiacp

Products
1
CVEs
18
Across products
18
Status
Private

Products

1

Recent CVEs

18
  • CVE-2026-43633CriMay 19, 2026
    risk 0.58cvss 10.0epss 0.01

    HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted…

  • CVE-2021-47871HigJan 21, 2026
    risk 0.57cvss 8.8epss 0.00

    Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific…

  • CVE-2026-43634HigMay 19, 2026
    risk 0.42cvss 7.5epss 0.00

    HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated…

  • CVE-2022-2550Jul 27, 2022
    risk 0.04cvss epss 0.47

    OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.

  • CVE-2023-5839Oct 29, 2023
    risk 0.00cvss epss 0.00

    Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.

  • CVE-2023-4517Oct 13, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6.

  • CVE-2023-5084Sep 20, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.

  • CVE-2023-3479Jun 30, 2023
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.

  • CVE-2021-30071Aug 18, 2022
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2021-30070Aug 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

  • CVE-2022-2636Aug 5, 2022
    risk 0.00cvss epss 0.01

    Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6.

  • CVE-2022-2626Aug 5, 2022
    risk 0.00cvss epss 0.01

    Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.

  • CVE-2022-1509Apr 28, 2022
    risk 0.00cvss epss 0.04

    Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.

  • CVE-2022-0986Mar 16, 2022
    risk 0.00cvss epss 0.01

    Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.

  • CVE-2022-0752Mar 4, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.

  • CVE-2022-0838Mar 4, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.

  • CVE-2022-0753Mar 3, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.

  • CVE-2021-3797Sep 15, 2021
    risk 0.00cvss epss 0.01

    hestiacp is vulnerable to Use of Wrong Operator in String Comparison