Blesta logo
 Get Started

Security Advisory

June 8, 2026
Paul

Blesta 5.13.9 is a maintenance release made up primarily of routine bug fixes. It also addresses one reported low-severity security issue and includes some additional defense-in-depth hardening. A patch is being released for the 5.13 branch.

The functional fixes cover partial refund status handling, a Support Manager OAuth2 callback issue, a default avatar path regression, the display of the ACH payment option in the order flow, and email blacklist wildcard matching. We give this an overall impact rating of Low. We recommend applying the 5.13.9 patch, or upgrading to version 5.13.9.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 3.0 and 5.13, upgrade to 5.13.9.

Downloads

Download 5.13.9 Patch Download 5.13.9 Full 

% blesta-5.13.9.zip
d1d9b19608884de7df0dba1760075be6a202b6ee15623f2e5c6f5873b6888a8f

% blesta-5.13.0-5.13.9.zip
67fd91142c43dfc66c52255023fa333f70bca1d6d470b25f616e454ef18ba2e9

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Full Release Notes for 5.13.9

  • [CORE-5940] - Partial refunds may get saved with incorrect status
  • [CORE-5941] - Security Fix
  • [CORE-5942] - Security Fix
  • [CORE-5955] - Support Manager: OAuth2 callback partial department edit and deletes priorities/custom field data
  • [CORE-5974] - Custom Support Manager default avatar never loads (path validation regression)
  • [CORE-5979] - Security Fix
  • [CORE-5988] - Order: ACH option appears prior to payment even when disabled in order settings
  • [CORE-6009] - Blacklist email wildcards fail to block

Resolution

  • If you are running version 5.13.x, apply the 5.13.9 patch above.
  • If you are running version 3.0.x through 5.12.x, upgrade to 5.13.9 Full.

Credits

One of these issues was reported by Rungrawin Markboon, Nissana Sirijirakal from SnoopBees in accordance with our Responsible Disclosure Policy. The remaining issues were discovered internally and are largely defense-in-depth measures.

2 min read, 333 words
Share this post:
Related Tags:
5.13.9 patch advisory security
Top