{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-25614", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-03T19:16:42.910Z", "datePublished": "2026-02-03T19:16:43.188Z", "dateUpdated": "2026-02-05T06:19:47.455Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Blesta", "vendor": "Blesta", "versions": [{"lessThan": "5.13.3", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-03T19:30:51.821Z"}, "references": [{"url": "https://www.blesta.com/2026/01/28/security-advisory/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T20:57:38.653971Z", "id": "CVE-2026-25614", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:57:45.172Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Feb/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-05T06:19:47.455Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Feb/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-05T06:19:47.455Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25614", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T20:57:38.653971Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:57:41.321Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Blesta", "product": "Blesta", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "5.13.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.blesta.com/2026/01/28/security-advisory/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-03T19:30:51.821Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25614", "state": "PUBLISHED", "dateUpdated": "2026-02-05T06:19:47.455Z", "dateReserved": "2026-02-03T19:16:42.910Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-03T19:16:43.188Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phillipsdata:blesta:*:*:*:*:*:*:*:*", "matchCriteriaId": "9853B7D0-989D-4D86-8098-5A6D479BA9C2", "versionEndExcluding": "5.13.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680."}], "id": "CVE-2026-25614", "lastModified": "2026-02-13T21:27:41.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-03T20:15:58.913", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.blesta.com/2026/01/28/security-advisory/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2026/Feb/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:06:14.366552+00:00", "value": {"mitigation_remediation": ["Upgrade Blesta to version 5.13.3 or later, which implements proper deserialization safety checks.", "If an immediate upgrade is not possible, restrict network access to any API endpoints or web pages that process serialized input, or disable the features that accept such data.", "Implement logging and monitoring for suspicious deserialization attempts and restrict application privileges to limit potential damage in case of successful exploitation."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected vendors and products are Blesta CRM/The Blesta Suite, with vulnerable releases from version 3.x up to, but not including, 5.13.3. No additional version details are specified beyond this range.", "description_and_impact": "Blesta versions 3.x through 5.x before 5.13.3 contain an insecure deserialization flaw known as object injection. This weakness, classified as CWE-502, allows an attacker to supply a crafted serialized payload that the application accepts and deserializes without proper validation. When the payload is processed, the application may instantiate attacker\u2011controlled objects, enabling arbitrary code execution and complete takeover of the underlying system.", "risk_and_exploitability": "The vulnerability is rated CVSS 7.5, indicating a high severity. The EPSS score is below 1%, suggesting the probability of a real\u2011world exploit is low at present, and it is not listed in the CISA KEV catalog. However, the flaw is remotely exploitable via the web interface or any API endpoint that accepts serialized data; no authentication requirement is disclosed, meaning attackers could potentially target public endpoints. Should exploitation occur, the impact would be total compromise of affected systems."}}}}, "created": "2026-02-04T12:05:49.243870+00:00", "title": "Object Injection in Blesta 3.x\u20135.x Allowing Remote Code Execution", "updated": "2026-04-18T00:15:31.784237+00:00", "vendors": ["blesta", "blesta$PRODUCT$blesta"]}