The vendor has identified an input validation flaw in Blesta versions 3.x through 5.x prior to 5.13.3. This weakness, cataloged as CWE‑79, allows an attacker to inject malicious JavaScript or other code through crafted input that is not correctly sanitized. The result can be a traditional client‑side cross‑site scripting (XSS) attack, where an attacker can deface a page, steal session cookies, or perform other client‑side compromise tasks. The vulnerability does not directly grant an attacker arbitrary code execution on the server, but it can be used to facilitate phishing or other attacks against end‑users that visit the affected pages.

The crafted input logic is used in the Blesta billing and support web application, owned by the Blesta company. Affected versions include the whole 3.x series and 5.x series before the 5.13.3 release. All deployments of these releases are potentially vulnerable unless patches beyond 5.13.3 are applied.

The CVSS score of 4.7 indicates a moderate severity. An EPSS probability of 2% suggests that, while the flaw has a tangible chance of exploitation, it is not a high‑risk target compared to other vulnerabilities. It is not listed in the CISA KEV catalog, meaning there are no confirmed widespread exploits at this time. The typical attack path involves an attacker supplying malicious payloads through the web interface, which are then reflected in the browser. Because the flaw tamps user input handling, it is generally exploitable remotely via standard HTTP requests to the affected application.