hestiacp CVE Vulnerabilities & Metrics

Focus on hestiacp vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About hestiacp Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with hestiacp. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total hestiacp CVEs: 14
Earliest CVE date: 25 Mar 2020, 23:15 UTC
Latest CVE date: 29 Oct 2023, 01:15 UTC

Latest CVE reference: CVE-2023-5839

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical hestiacp CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.41

Max CVSS: 9.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	7
7.0-8.9	1
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS hestiacp CVEs

These are the five CVEs with the highest CVSS scores for hestiacp, sorted by severity first and recency.

CVE-2022-1509 hestiacp Published on 28 Apr 2022, 10:15 UTC (CVSS: 9.0)
Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.
CVE-2021-3797 hestiacp Published on 15 Sep 2021, 13:15 UTC (CVSS: 7.5)
hestiacp is vulnerable to Use of Wrong Operator in String Comparison
CVE-2021-27231 hestiacp Published on 16 Feb 2021, 04:15 UTC (CVSS: 5.5)
Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages.
CVE-2021-30071 hestiacp Published on 18 Aug 2022, 05:15 UTC (CVSS: 4.3)
A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2022-0986 hestiacp Published on 16 Mar 2022, 13:15 UTC (CVSS: 4.3)
Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.

All CVEs for hestiacp

CVE-2023-5839 hestiacp vulnerability CVSS: 0 29 Oct 2023, 01:15 UTC

Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.

CVE-2023-3479 hestiacp vulnerability CVSS: 0 30 Jun 2023, 10:15 UTC

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.

CVE-2021-30071 hestiacp vulnerability CVSS: 4.3 18 Aug 2022, 05:15 UTC

A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2022-2636 hestiacp vulnerability CVSS: 0 05 Aug 2022, 10:15 UTC

Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6.

CVE-2022-2626 hestiacp vulnerability CVSS: 0 05 Aug 2022, 09:15 UTC

Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.

CVE-2022-2550 hestiacp vulnerability CVSS: 0 27 Jul 2022, 15:15 UTC

OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.

CVE-2022-1509 hestiacp vulnerability CVSS: 9.0 28 Apr 2022, 10:15 UTC

Command Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context.

CVE-2022-0986 hestiacp vulnerability CVSS: 4.3 16 Mar 2022, 13:15 UTC

Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.

CVE-2022-0752 hestiacp vulnerability CVSS: 4.3 04 Mar 2022, 12:15 UTC

Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.

CVE-2022-0838 hestiacp vulnerability CVSS: 4.3 04 Mar 2022, 08:15 UTC

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.

CVE-2022-0753 hestiacp vulnerability CVSS: 4.3 03 Mar 2022, 16:15 UTC

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.

CVE-2021-3797 hestiacp vulnerability CVSS: 7.5 15 Sep 2021, 13:15 UTC

hestiacp is vulnerable to Use of Wrong Operator in String Comparison

CVE-2021-27231 hestiacp vulnerability CVSS: 5.5 16 Feb 2021, 04:15 UTC

Hestia Control Panel 1.3.5 and below, in a shared-hosting environment, sometimes allows remote authenticated users to create a subdomain for a different customer's domain name, leading to spoofing of services or email messages.

CVE-2020-10966 hestiacp vulnerability CVSS: 4.3 25 Mar 2020, 23:15 UTC

In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.