Blesta XSS Flaw Poses Client-Side Risk to Management Portals

Blesta Reflected XSS Flaw Endangers Client Management Portals

• A reflected Cross-Site Scripting (XSS) vulnerability, tracked as KIS-2026-01, has been identified in Blesta versions up to 5.13.1, specifically affecting the confirm_url parameter.
• This flaw enables attackers to inject arbitrary web scripts into pages viewed by legitimate users, potentially leading to session hijacking, sensitive data exfiltration, or malicious redirection.
• Administrators using Blesta 5.13.1 or earlier are strongly advised to upgrade their installations to a patched version to mitigate this client-side attack vector.

Source: Full Disclosure (seclists.org) | Date: February 1, 2026

References

1. [KIS-2026-01] Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability - Full Disclosure (seclists.org)