CVE-2026-12196 PUBLISHED

HestiaCP Admin Takeover

Assigner: PRJBLK
Reserved: 14.06.2026 Published: 04.07.2026 Updated: 04.07.2026

HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlying webserver.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CVSS Score: 8.3

Product Status

Vendor hestiacp
Product hestiacp
Versions Default: unaffected
  • affected from 0 to 8be23943c7e3231f66d226ca931c76f93be98412 (excl.)

References

Problem Types

  • CWE-287: Improper Authentication CWE

Impacts

  • CAPEC-233 Privilege Escalation