HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars() encoding to the DNS record value field rendered into the data-sort-value HTML attribute in list_dns_rec.php, allowing the payload to execute in the browser of any user who views the DNS record list, including administrators.
CVE-2025-30008
Score 4.6 from GitHub Security Advisory published 2026-07-10. a secondary CVSS source baseline 4.6; sources differ by 0.0.
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 4.6
- EG Score
- 4.6(high)
- EPSS
- 7.8%
- KEV
- Not listed
Published
July 10, 2026
Last Modified
July 14, 2026
Advisory Details (4)
Auto-updated Jul 10, 2026HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface | Advisories | VulnCheck
https://www.vulncheck.com/advisories/hestiacp-stored-xss-via-dns-record-management-interfacecommit 07dda18ef008 (hestiacp/hestiacp)
Patch available: hestiacp/hestiacp 1.9.6 (contains commit 07dda18ef008)
https://github.com/hestiacp/hestiacp/commit/07dda18ef0087ea981ff84d4d5757774cf2124b0Harden DNS record listing escaping
Patch available: hestiacp/hestiacp 1.9.6 (PR #5196 merged 2025-12-29)
https://github.com/hestiacp/hestiacp/pull/51961.9.5 Service Release
Patch available: hestiacp/hestiacp 1.9.5
https://github.com/hestiacp/hestiacp/releases/tag/1.9.5Vendor Advisories for CVE-2025-30008(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 21× in last 7d / 21× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 13:39 UTCEG score recompute
- 2026-07-15 13:39 UTCGHSA enrichment
- 2026-07-15 01:59 UTCEPSS rescore
- 2026-07-15 01:59 UTCEPSS rescore
- 2026-07-14 14:36 UTCEG score recompute
- 2026-07-14 14:36 UTCGHSA enrichment
- 2026-07-13 22:29 UTCEPSS rescore
- 2026-07-13 15:33 UTCEG score recompute
- 2026-07-13 15:33 UTCGHSA enrichment
- 2026-07-13 06:12 UTCEPSS rescore
- 2026-07-13 06:12 UTCEPSS rescore
- 2026-07-12 16:29 UTCEG score recompute
- 2026-07-12 16:29 UTCGHSA enrichment
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 17:26 UTCEG score recompute
- 2026-07-11 17:26 UTCGHSA enrichment
- 2026-07-10 18:23 UTCEG score recompute
- 2026-07-10 18:22 UTCMITRE cvelistV5first tracked
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2025-30008?
When was CVE-2025-30008 disclosed?
Is CVE-2025-30008 actively exploited?
What is the CVSS score of CVE-2025-30008?
How do I remediate CVE-2025-30008?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2025-30008
Is Your Infrastructure Affected by CVE-2025-30008?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.