CVE-2026-43634
- EPSS 0.24%
- Veröffentlicht 19.05.2026 13:33:08
- Zuletzt bearbeitet 19.05.2026 17:57:58
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verify...
- EPSS 1.07%
- Veröffentlicht 19.05.2026 13:29:55
- Zuletzt bearbeitet 19.05.2026 14:43:04
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution....
CVE-2021-47871
- EPSS 0.42%
- Veröffentlicht 21.01.2026 17:27:47
- Zuletzt bearbeitet 15.04.2026 00:35:42
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys ...
CVE-2023-4517
- EPSS 0.4%
- Veröffentlicht 13.10.2023 13:15:12
- Zuletzt bearbeitet 21.11.2024 08:35:20
Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6.
CVE-2023-5084
- EPSS 0.4%
- Veröffentlicht 20.09.2023 10:15:15
- Zuletzt bearbeitet 21.11.2024 08:41:02
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.
CVE-2021-30070
- EPSS 0.63%
- Veröffentlicht 18.08.2022 05:15:07
- Zuletzt bearbeitet 21.11.2024 06:03:17
An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.