Description
Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.
Published: 2026-02-03
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Object injection enabling return on arbitrary code execution
Action: Patch soon
AI Analysis

Impact

Blesta versions 3.x through 5.x before 5.13.3 suffer from the CORE-5668 object‑injection flaw, which permits an attacker to supply crafted serialized data that is unserialized by the application without proper validation. This vulnerability is classified as CWE‑502 and can lead to remote code execution, allowing the attacker to take full control over the affected system and compromise data confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the Blesta product from the vendor Blesta, specifically all releases in the 3.x, 4.x, and 5.x series prior to version 5.13.3. Users of these versions are at risk regardless of deployment size or geographic location.

Risk and Exploitability

The CVSS score of 7.2 denotes a high severity, but the EPSS score being less than 1% indicates a low current exploitation probability and the vulnerability is not yet catalogued in the CISA KEV list. The likely attack vector is remote exploitation through the web interface or exposed APIs, as the flaw stems from deserializing untrusted input. While exploitation requires some application interaction, the lack of immediate exploitation evidence suggests that attackers would need to identify and target specific application instances that expose the vulnerable code path.

Generated by OpenCVE AI on April 18, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Blesta release (5.13.3 or newer) to eliminate the object‑injection flaw.
  • If an upgrade cannot be performed immediately, temporarily disable or remove any API endpoints or modules that accept serialized data from users until the fix is applied.
  • Ensure that all incoming data is validated or strictly typed before deserialization, and replace any use of PHP’s unserialize() with safer alternatives or whitelisting mechanisms.

Generated by OpenCVE AI on April 18, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Title Object Injection Vulnerability in Blesta Versions 3.x to 5.x Before 5.13.3

Fri, 13 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Phillipsdata
Phillipsdata blesta
CPEs cpe:2.3:a:phillipsdata:blesta:*:*:*:*:*:*:*:*
Vendors & Products Phillipsdata
Phillipsdata blesta

Thu, 05 Feb 2026 07:30:00 +0000

Type Values Removed Values Added
References

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Blesta
Blesta blesta
Vendors & Products Blesta
Blesta blesta

Tue, 03 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Description Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Blesta Blesta
Phillipsdata Blesta
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-05T06:19:48.805Z

Reserved: 2026-02-03T19:18:47.567Z

Link: CVE-2026-25615

cve-icon Vulnrichment

Updated: 2026-02-05T06:19:48.805Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T20:15:59.077

Modified: 2026-02-13T21:26:32.380

Link: CVE-2026-25615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses