CVE-2026-12196

HIGH

HestiaCP Admin Takeover

Title source: cna
STIX 2.1

Description

HestiaCP panel cronjob feature is affected by a broken access control vulnerability. Low privilege users can modify the panel cronjob to execute scripts HestiaCP management scripts with passwordless sudo. This could result in the takeover of administrator users in the application and the underlying webserver.

References (2)

Core 2

Scores

CVSS v4 8.3
EPSS 0.0026
EPSS Percentile 16.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-287
Status published
Products (1)
hestiacp/hestiacp < 8be23943c7e3231f66d226ca931c76f93be98412
Published Jul 04, 2026
Tracked Since Jul 04, 2026