Blesta 5.13.3 Patch Released

We are pleased to announce the released of Blesta 5.13.3, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/support/releases/5/5133/.

Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, or 5.13.2. If you are running an earlier version, you must download the full release.

Download 5.13.3 Patch Download 5.13.3 Full

SHA256 Sum

% blesta-5.13.3.zip
6a58da9013f86b43fbd94210198c003159bd7c1e351bdb845e5865bc4ab967be

% blesta-5.13.2-5.13.3.zip
4c63bfc7c7968207e6092d016c8e416ed1fc8f3c8c2de6bf5363be6a54e625f9

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Security Advisory

Several security issues affecting Blesta versions 3.0.0 through 5.13.1 have been identified.

An input validation vulnerability (CORE-5665) and object injection vulnerabilities (CORE-5668, CORE-5680) have been discovered. One of these vulnerabilities could potentially allow remote code execution under certain conditions. We recommend applying the appropriate patch for your release, or upgrading to version 5.13.3 as soon as possible. We give this an impact rating of Critical.

Update (January 31, 2026): Version 5.13.3 has been released to address regressions introduced in 5.13.2. Please use 5.13.3 instead of 5.13.2 for both full and patch downloads.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 3.0 and 5.10, upgrade to 5.13.3.

Downloads

Download 5.13.3 Patch Download 5.13.3 Full

% blesta-5.13.3.zip
6a58da9013f86b43fbd94210198c003159bd7c1e351bdb845e5865bc4ab967be

% blesta-5.13.0-5.13.3.zip
4c63bfc7c7968207e6092d016c8e416ed1fc8f3c8c2de6bf5363be6a54e625f9

Download 5.12.4 Patch

% blesta-5.12.0-5.12.4.zip
2bd8d7819f7b528c0b15f44e9f7c9e591515e1a9933fd029f65d0e16989f53ce

Download 5.11.5 Patch

% blesta-5.11.0-5.11.5.zip
5a6c872297624cd34dc64d5460f7946cf4b28ca29a5a89bec4ca2a951b2e5e6b

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Full Release Notes for 5.13.2

• [CORE-5619] - Generic Domains: .cl TLDs report as always available
• [CORE-5624] - Security Fix
• [CORE-5631] - CMS: Default URI shared between multiple companies
• [CORE-5660] - Amazon S3 vendor code update not shipping with Blesta
• [CORE-5661] - PostalMethods returns error, possible API change
• [CORE-5662] - Adding Payment accounts can result in an error
• [CORE-5665] - Security fix
• [CORE-5668] - Security fix
• [CORE-5669] - Investigate potential month date name display issues
• [CORE-5670] - Stripe Payments: Possible rounding bug
• [CORE-5671] - Invoice PDF’s do not observe the internationalization of dates
• [CORE-5678] - Clients attempting to use “Forgot Password” encounter a blank screen
• [CORE-5679] - Coupons no longer apply to config options when “Apply to Configurable Options” is checked
• [CORE-5680] - Security fix
• [CORE-5690] - Order: Limit keyword searches to spotlight TLDs

Resolution

• If you are running version 5.13.x, apply the 5.13.3 patch above.
• If you are running version 5.12.x, apply the 5.12.4 patch above.
• If you are running version 5.11.x, apply the 5.11.5 patch above.
• If you are running version 3.0.x through 5.10.x, upgrade to 5.13.3 Full.

Mitigation

It is best to upgrade to 5.13.3 or apply the appropriate patch. However, if you are running an affected unsupported version of Blesta (version 3.0 through 5.10), and you need more time to upgrade, it is possible to mitigate the most serious vulnerability for which we gave this an impact rating of Critical. If you have the 2Checkout payment gateway installed, update it to the latest version from the repository on GitHub: https://github.com/blesta/gateway-2checkout

Credits

Some of these issues were reported by Egidio Romano of Karma(In)Security in accordance with our Responsible Disclosure Policy. Other issues were discovered internally.

Blesta 5.13.1 Patch Released

We are pleased to announce the released of Blesta 5.13.1, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/support/releases/5/5131/.

Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0. If you are running an earlier version, you must download the full release.

Download 5.13.1 Patch Download 5.13.1 Full

SHA256 Sum

% blesta-5.13.1.zip
5421c8130275453dd2a73a43b50cd4cd188f3530c3c30c42cd306130482f67ec

% blesta-5.13.0-5.13.1.zip
c1303f2844f945176fb044a49862f94201cd21e7b438fc6a3386f8a7e9dfef1a

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Blesta 5.13 Released

Blesta 5.13 is now available!

This version brings powerful new features and improvements! Clients and staff can now upload profile pictures, and support tickets can be rated by clients. We’ve added step-up authentication for enhanced security, and invoices can now be generated in the digital format UBL XML. Domain management gets better with bulk name server updates and improved date syncing. The Import Manager has been enhanced to support non-owner user relationships from WHMCS. You can now requeue invoices for delivery after payment, clients can add additional recipients to tickets, contact log history is now visible on client profile pages, and much more!

SHA256 Sum

9808e19629ac9e89f5f0d3cfb229c7487a0a790117e72bbde936a7c697d622bf

ALWAYS BACKUP YOUR FILES + DATABASE PRIOR TO UPGRADING. Don’t forget to run /admin/upgrade in your browser or via CLI. If you need assistance upgrading, we can perform the upgrade for $45 just open a ticket from your account.

See the documentation for details on how to install or upgrade.

What’s new in 5.13?

• Added profile pictures for staff and clients.
• Added step-up authentication for enhanced security (See docs to disable).
• Added a ticket rating system for clients.
• Added the ability to generate invoices in the digital format UBL XML.
• Added the ability to requeue invoices for delivery after payment.
• Added contact log history visibility on client profiles.
• Added configurable option group import and export functionality.
• Added an option to hide pricing on zero cost configurable options.
• Added an option to prevent service module renewal prior to payment.
• Added merchant gateway migration support between different gateways.
• Added client credit configuration options to enable/disable credit and set maximum amounts.
• Added the language Português, PT pt_pt.
• Added a new Enhance shared hosting panel module.
• Updated the Domain Manager to support bulk name server updates and welcome emails.
• Updated the Domain Manager with improved expiration sync process.
• Updated the Domain Manager to allow keyword search for domains.
• Updated the Domain Manager with customizable auto-renewal notifications.
• Updated the Domain Manager to add a filter option for domains with price overrides.
• Updated the Domain Manager to show module management tabs when managing a domain.
• Updated the Order System to show monthly pricing discounts on pricing terms.
• Updated the Generic Domains module to include registration and renewal email notifications.
• Updated the Support Manager to allow clients to add recipients to tickets.
• Updated the Support Manager to allow tickets to be imported via OAuth2.
• Updated the Support Manager with a setting for Gravatar or custom Avatars.
• Updated the Support Manager to display staff member titles in their replies.
• Updated the Knowledge Base to allow batch updates for category accessibility.
• Updated the Namecheap module TLD list loading performance.
• Updated the Import Manager to support importing non-owner user relationships from WHMCS.
• Updated the Email blacklist to allow preventing outgoing messages to blacklisted addresses.
• Updated ISO code standardization for states and countries.
• Updated password requirements for clients in the settings.
• Updated automation tasks to allow selective execution.
• Updated internationalized calendar month names to match selected language.
• Updated webhook requests to be logged along with status.
• Updated to allow deletion of cancelled addons.

See our beta announcement for more and the release notes for everything.

Developers

• Added new events for Domain Manager, Order System, and Support Manager.
• Added configurable option group import/export functionality.
• Reminder: If you are a developer, we recommend updating your extensions to support PHP 8, including PHP 8.3 if they don’t already.

Sponsored Development

A big shout out to the following companies for sponsoring development for one or more items in this release. Show them some love.

• KnownHost
• Mynymbox

Sponsored development is a good way to support Blesta and get a shout out for your company! Interested? Reach out and say hello.

Stay Connected!

Like our Facebook page, join our Facebook group and Subreddit, follow us on Twitter, and join us in Discord.

Blesta 6: A Paradigm Shift

We have been hard at work on the next major version update for Blesta, watch the video for a sneak peek. Sound on + full-screen.

This changes everything

Paradigm: The all-new Blesta 6 Admin UI. Built in house from the ground up on Bootstrap 5, it has a sleek, responsive, modern interface that adapts to your preferences. Dark mode. Light mode. Streamlined power in every touch, it’s a brand new vibe.

This isn’t just a new template. This is a whole new admin experience.

1. Three-tier architecture - Customizable icon bar, collapsible side navigation, and contextual side panels.
2. Designed dark, not retrofitted - Dark mode designed from the ground up, not tacked on, with perfect contrast ratios.
3. Context-aware side panels - Ticket views, quick actions, nav, and more adapt to what you’re working on.
4. Still feels like Blesta - Familiar layout. Bulk actions, filtering, expandable sections and more work even better.
5. Mobile without compromise - Genuinely functional mobile experience, not just a squeezed-down desktop view.
6. Built for power users - Keyboard shortcuts, drag-and-drop, quick actions, and intelligent notifications.
7. Intelligent persistence - Use of LocalStorage allows Blesta to remember your preferences like never before.

We’re only scratching the surface here, there’s a lot more that we’re not ready to share just yet. The new admin interface represents countless hours of design, development, and refinement. You really need to experience it to understand the difference. Blesta version 6 is coming in early 2026 and that is just the beginning of several massive new features and improvements planned throughout the year.

The soundtrack to innovation

Every paradigm shift deserves its own soundtrack. The full, original song is included below, give it a listen:

Why dark mode matters

We’ve heard you. Billing software shouldn’t burn your retinas. A modern Admin UI with dark mode was overdue, we’ve been rocking the same design since 2013. Whether you’re approving orders at 2 AM or responding to tickets in a dimly lit office, dark mode is there for you. And when the sun comes up? You can switch to light mode with a single click, but if you’re like us you might just prefer dark mode all the time.

Built for the future

Bootstrap 5 is a solid foundation for many modern web applications. By rebuilding the admin interface on Bootstrap 5, we’ve ensured that Blesta 6 will not only work and look great, but make it much easier for developers to build great looking interfaces within their own plugins and modules. This goes far deeper than a theme update—we’ve modernized core infrastructure including a new notifications system that developers can integrate their plugins with directly. A component library is planned to help maintain consistency across custom developments.

The new UI is more than just aesthetics. It’s about efficiency, usability, and creating an experience that makes managing your company genuinely enjoyable.

What do you think?

Are you excited about the new admin interface? Will dark mode change how you work? We’d love to hear your thoughts! It’s our hope that you’ll say, “Who knew I could love software this much!”.

Stay tuned for more information about Blesta version 6.