Home

Description

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in is_dns_record_format_valid() combined with unsafe eval-based parsing in update_domain_zone() to prematurely close a variable assignment string and achieve full root code execution on the underlying host in a single DNS record creation step.

PUBLISHED Reserved 2025-03-13 | Published 2026-07-10 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

Any version before 1.9.5
affected

Credits

Djibril Mounkoro finder

References

github.com/hestiacp/hestiacp/releases/tag/1.9.5 (Release Notes) release-notes

github.com/hestiacp/hestiacp/pull/5197 (Pull Request) issue-tracking

github.com/...ommit/a74babb739aa92e52b12d6ef52b6b9428ffbbb67 (Patch Commit) patch

www.vulncheck.com/...and-injection-via-dns-record-management third-party-advisory

cve.org (CVE-2025-30007)

nvd.nist.gov (CVE-2025-30007)

Download JSON