Back to overview

CVE-2026-12196

HIGH
8.3
CVSS 4.0
Description
HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlying webserver.

Metadata

CVE ID
CVE-2026-12196
State
PUBLISHED
Assigner
PRJBLK
Reserved
2026-06-14 07:01 UTC
Published
2026-07-04 12:05 UTC
Last updated
2026-07-04 12:05 UTC
Primary CWE
CWE-287
CWE-287: Improper Authentication
Vendor / Product
hestiacp / hestiacp
Sources
cve.org  ·  NVD

Severity & Metrics

8.3 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
hestiacp hestiacp 0 < 8be23943c7e3231f66d226ca931c76f93be98412
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287: Improper Authentication
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.3 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Back to overview