Scan free
LOWCVE-2022-0986CVSS 2.4

CVE-2022-0986: XSS in HestiaCP Control Panel

Platform

php

Component

hestiacp

Fixed in

1.5.11

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2022-0986 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in the HestiaCP control panel. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability affects versions of HestiaCP prior to 1.5.11, and a patch is available.

Impact and Attack Scenarios

An attacker could exploit this XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes in their browser within the context of the HestiaCP control panel. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or modify the content of the page. The impact is primarily limited to the user's session and the specific page where the script is injected, but could be amplified if the targeted user has elevated privileges within the control panel.

Exploitation Context

CVE-2022-0986 was publicly disclosed on March 16, 2022. No known active exploitation campaigns have been reported. There are no publicly available proof-of-concept exploits at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.33% (56% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N2.4LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componenthestiacp
Vendorhestiacp
Affected rangeFixed in
unspecified – 1.5.111.5.11

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2022-0986 is to upgrade HestiaCP to version 1.5.11 or later. This version includes a fix for the reflected XSS vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data within the HestiaCP application. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via a URL parameter and verifying that it is properly sanitized.

How to fix

Actualice HestiaCP a la versión 1.5.11 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS reflejada. La actualización se puede realizar a través del panel de control de HestiaCP o mediante la línea de comandos.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-0986 — XSS in HestiaCP?

CVE-2022-0986 is a reflected Cross-Site Scripting (XSS) vulnerability affecting HestiaCP versions prior to 1.5.11, allowing attackers to inject malicious scripts.

Am I affected by CVE-2022-0986 in HestiaCP?

You are affected if you are using HestiaCP version 1.5.11 or earlier. Upgrade to 1.5.11 to resolve the vulnerability.

How do I fix CVE-2022-0986 in HestiaCP?

Upgrade HestiaCP to version 1.5.11 or later. Consider input validation and output encoding as additional security measures.

Is CVE-2022-0986 being actively exploited?

No active exploitation campaigns have been reported at this time, but vigilance is still recommended.

Where can I find the official HestiaCP advisory for CVE-2022-0986?

Refer to the official HestiaCP security advisory for details: https://docs.hestiacp.com/security/security-advisories/

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs