Search
Search Results (20 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-43634 | 1 Hestiacp | 1 Hestiacp | 2026-05-19 | 7.5 High |
| HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request. | ||||
| CVE-2026-43633 | 1 Hestiacp | 1 Hestiacp | 2026-05-19 | 10 Critical |
| HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled. | ||||
| CVE-2021-47871 | 1 Hestiacp | 1 Control Panel | 2026-04-15 | 8.8 High |
| Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server. | ||||
| CVE-2022-2636 | 1 Hestiacp | 1 Control Panel | 2026-02-25 | 8.5 High |
| Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6. | ||||
| CVE-2023-5084 | 1 Hestiacp | 1 Hestiacp | 2024-12-03 | 3.9 Low |
| Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8. | ||||
| CVE-2023-5839 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 7.8 High |
| Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9. | ||||
| CVE-2023-4517 | 1 Hestiacp | 1 Hestiacp | 2024-11-21 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6. | ||||
| CVE-2023-3479 | 1 Hestiacp | 2 Control Panel, Hestiacp | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8. | ||||
| CVE-2022-2626 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 7.2 High |
| Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6. | ||||
| CVE-2022-2550 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 8.8 High |
| OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5. | ||||
| CVE-2022-1509 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 9.9 Critical |
| Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context. | ||||
| CVE-2022-0986 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 6.1 Medium |
| Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11. | ||||
| CVE-2022-0838 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10. | ||||
| CVE-2022-0753 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9. | ||||
| CVE-2022-0752 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9. | ||||
| CVE-2021-3797 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 9.8 Critical |
| hestiacp is vulnerable to Use of Wrong Operator in String Comparison | ||||
| CVE-2021-30071 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2021-30070 | 1 Hestiacp | 1 Hestiacp | 2024-11-21 | 7.5 High |
| An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager. | ||||
| CVE-2021-27231 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 5.4 Medium |
| Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages. | ||||
| CVE-2020-10966 | 2 Hestiacp, Vestacp | 2 Control Panel, Control Panel | 2024-11-21 | 6.5 Medium |
| In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name. | ||||
Page 1 of 1.