{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-25616", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-03T19:21:14.218Z", "datePublished": "2026-02-03T19:21:14.440Z", "dateUpdated": "2026-02-05T06:19:50.117Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Blesta", "vendor": "Blesta", "versions": [{"lessThan": "5.13.3", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-03T19:31:39.024Z"}, "references": [{"url": "https://www.blesta.com/2026/01/28/security-advisory/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T20:47:12.876403Z", "id": "CVE-2026-25616", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:47:19.658Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Feb/0"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-05T06:19:50.117Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2026/Feb/0"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-05T06:19:50.117Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25616", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T20:47:12.876403Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:47:16.289Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Blesta", "product": "Blesta", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "5.13.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.blesta.com/2026/01/28/security-advisory/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-03T19:31:39.024Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25616", "state": "PUBLISHED", "dateUpdated": "2026-02-05T06:19:50.117Z", "dateReserved": "2026-02-03T19:21:14.218Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-03T19:21:14.440Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phillipsdata:blesta:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3CF9CFF-01DA-4E16-8570-58E83F6C0EA8", "versionEndExcluding": "5.13.2", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665."}, {"lang": "es", "value": "Blesta 3.x hasta 5.x anterior a 5.13.3 maneja incorrectamente la validaci\u00f3n de entrada, tambi\u00e9n conocido como CORE-5665."}], "id": "CVE-2026-25616", "lastModified": "2026-02-18T18:44:31.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-03T20:15:59.240", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.blesta.com/2026/01/28/security-advisory/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2026/Feb/0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:05:32.492191+00:00", "value": {"mitigation_remediation": ["Update Blesta to version 5.13.3 or later as advised in the vendor advisory.", "If patching is delayed, implement input sanitization or content security policy to mitigate XSS exposure, following the guidance in the advisories.", "Monitor application logs for abnormal input patterns and ensure that the web server configuration blocks scripts from executing within allowed directories."], "summary": {"action": "Apply patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The crafted input logic is used in the Blesta billing and support web application, owned by the Blesta company. Affected versions include the whole 3.x series and 5.x series before the 5.13.3 release. All deployments of these releases are potentially vulnerable unless patches beyond 5.13.3 are applied.", "description_and_impact": "The vendor has identified an input validation flaw in Blesta versions 3.x through 5.x prior to 5.13.3. This weakness, cataloged as CWE\u201179, allows an attacker to inject malicious JavaScript or other code through crafted input that is not correctly sanitized. The result can be a traditional client\u2011side cross\u2011site scripting (XSS) attack, where an attacker can deface a page, steal session cookies, or perform other client\u2011side compromise tasks. The vulnerability does not directly grant an attacker arbitrary code execution on the server, but it can be used to facilitate phishing or other attacks against end\u2011users that visit the affected pages.", "risk_and_exploitability": "The CVSS score of 4.7 indicates a moderate severity. An EPSS probability of 2% suggests that, while the flaw has a tangible chance of exploitation, it is not a high\u2011risk target compared to other vulnerabilities. It is not listed in the CISA KEV catalog, meaning there are no confirmed widespread exploits at this time. The typical attack path involves an attacker supplying malicious payloads through the web interface, which are then reflected in the browser. Because the flaw tamps user input handling, it is generally exploitable remotely via standard HTTP requests to the affected application."}}}}, "created": "2026-02-04T12:05:24.595856+00:00", "title": "Blesta Input Validation XSS Vulnerability", "updated": "2026-04-18T00:15:31.782863+00:00", "vendors": ["blesta", "blesta$PRODUCT$blesta"]}