CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2025-30007

highCVSS 8.8covered by 1 sourcefirst seen 2026-07-10
HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in is_dns_record_format_valid() combined with unsafe eval-based parsing in update_domain_zone() to prematurely close a variable assignment string and achieve full root code execution on the underlying host in a single DNS record creation step.

⚡ Watch CVE-2025-30007

Get an email if CVE-2025-30007 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2025-30007

CVE.org record

Embed the live status

CVE-2025-30007 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2025-30007 status](https://www.csirts.com/badge/CVE-2025-30007)](https://www.csirts.com/cve/CVE-2025-30007)