Login Sign Up

CVE-2026-25616

4.7 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Blesta billing software where improper input validation allows attackers to inject malicious scripts. The vulnerability affects all Blesta installations from version 3.x through 5.x before 5.13.3. Attackers could execute arbitrary JavaScript in victims' browsers when they view specially crafted content.

💻 Affected Systems

Products:
  • Blesta
Versions: 3.x through 5.x before 5.13.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations within the affected version range are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Blesta by Phillipsdata

View all CVEs affecting Blesta →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deface the application interface.

🟠

Likely Case

Attackers inject malicious scripts that steal user session data or credentials when victims view compromised pages.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payloads would be neutralized before reaching users.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

XSS vulnerabilities typically require user interaction (viewing malicious content) but are relatively easy to exploit once the injection point is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.13.3

Vendor Advisory: https://www.blesta.com/2026/01/28/security-advisory/

Restart Required: No

Instructions:

1. Backup your Blesta installation and database. 2. Download Blesta 5.13.3 or later from the official website. 3. Follow the standard Blesta upgrade procedure. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation and output encoding in custom modules or plugins

Content Security Policy

all

Implement a strict Content Security Policy header to mitigate XSS impact

Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with XSS protection rules
  • Restrict access to the Blesta admin interface to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check your Blesta version via the admin dashboard or by examining the /config/blesta.php file

Check Version:

grep -i 'version' /path/to/blesta/config/blesta.php

Verify Fix Applied:

Verify the version shows 5.13.3 or higher in the admin dashboard

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests with script tags or JavaScript payloads
  • Multiple failed validation attempts on input fields

Network Indicators:

  • HTTP requests containing suspicious script tags or encoded JavaScript

SIEM Query:

source="web_logs" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND dest_ip="blesta_server_ip"

📊 Metadata

CVE ID: CVE-2026-25616
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.03% exploit probability (8.7th percentile)
Published: February 3, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25616, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)