CVE-2025-30008
Undergoing Analysis Undergoing Analysis - In Progress

Stored XSS in HestiaCP DNS Record Management

Vulnerability report for CVE-2025-30008, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
hestia control_panel to 1.9.5 (exc)
hestiacp hestiacp to 1.9.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-30008 is a stored cross-site scripting (XSS) vulnerability in HestiaCP versions before 1.9.5. It allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a specially crafted value containing a double-quote followed by a script payload. The application fails to properly encode this value when rendering it in the data-sort-value HTML attribute on the DNS record listing page (list_dns_rec.php). As a result, the malicious script executes in the browsers of any users who view the DNS record list, including administrators.

The root cause is insufficient HTML escaping of user-controlled input in the DNS record value field, which leads to improper neutralization of input during web page generation.

Impact Analysis

This vulnerability can impact you by allowing an attacker with low privileges to execute arbitrary scripts in the browsers of users who view the DNS record list, including administrators. This can lead to unauthorized actions performed with the privileges of the victim user, such as stealing session cookies, performing actions on behalf of the user, or defacing the web interface.

Because the malicious payload is stored and executed when the DNS record list is viewed, it can persist and affect multiple users, increasing the risk and potential damage.

The vulnerability has a medium severity CVSS score of 5.1, indicating a moderate risk that should be addressed promptly.

Detection Guidance

This vulnerability can be detected by checking if your HestiaCP installation is a version before 1.9.5, as those versions are affected by the stored cross-site scripting issue in the DNS record management interface.

To detect exploitation attempts or presence of malicious DNS records, you can review DNS records in the HestiaCP interface for suspicious entries containing double-quotes followed by script payloads in the value field.

Since this is a web application vulnerability involving stored XSS, network detection might involve monitoring HTTP requests to the DNS record management pages for suspicious payloads.

Specific commands are not provided in the available resources, but you can manually inspect the DNS records via the HestiaCP interface or query the database directly for DNS record values containing suspicious characters such as double-quotes and script tags.

Mitigation Strategies

The immediate mitigation step is to upgrade HestiaCP to version 1.9.5 or later, where the vulnerability has been fixed by implementing comprehensive HTML escaping using a centralized tohtml() function.

Until the upgrade can be performed, restrict low-privilege authenticated users from creating or modifying DNS records to prevent injection of malicious payloads.

Additionally, review and sanitize existing DNS records for any suspicious or malicious content that could trigger the XSS vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-30008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart