Blesta 5.13.4 Patch Released

We are pleased to announce the release of Blesta 5.13.4, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/support/releases/5/5134/.

Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, 5.13.2, or 5.13.3. If you are running an earlier version, you must download the full release.

Download 5.13.4 Patch Download 5.13.4 Full

SHA256 Sum

% blesta-5.13.4.zip
2146cac0eec29421dd6e976d889a85ea5864dc43e5f4b9a27ab1812d12f99f78

% blesta-5.13.0-5.13.4.zip
66e87ba717981c3f20404871487b821f88074bd0d12f2350f50949358096e001

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Blesta 5.13.3 Patch Released

We are pleased to announce the released of Blesta 5.13.3, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/support/releases/5/5133/.

Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, or 5.13.2. If you are running an earlier version, you must download the full release.

Download 5.13.3 Patch Download 5.13.3 Full

SHA256 Sum

% blesta-5.13.3.zip
6a58da9013f86b43fbd94210198c003159bd7c1e351bdb845e5865bc4ab967be

% blesta-5.13.2-5.13.3.zip
4c63bfc7c7968207e6092d016c8e416ed1fc8f3c8c2de6bf5363be6a54e625f9

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Security Advisory

Several security issues affecting Blesta versions 3.0.0 through 5.13.1 have been identified.

An input validation vulnerability (CORE-5665) and object injection vulnerabilities (CORE-5668, CORE-5680) have been discovered. One of these vulnerabilities could potentially allow remote code execution under certain conditions. We recommend applying the appropriate patch for your release, or upgrading to version 5.13.3 as soon as possible. We give this an impact rating of Critical.

Update (January 31, 2026): Version 5.13.3 has been released to address regressions introduced in 5.13.2. Please use 5.13.3 instead of 5.13.2 for both full and patch downloads.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 3.0 and 5.10, upgrade to 5.13.3.

Downloads

Download 5.13.3 Patch Download 5.13.3 Full

% blesta-5.13.3.zip
6a58da9013f86b43fbd94210198c003159bd7c1e351bdb845e5865bc4ab967be

% blesta-5.13.0-5.13.3.zip
4c63bfc7c7968207e6092d016c8e416ed1fc8f3c8c2de6bf5363be6a54e625f9

Download 5.12.4 Patch

% blesta-5.12.0-5.12.4.zip
2bd8d7819f7b528c0b15f44e9f7c9e591515e1a9933fd029f65d0e16989f53ce

Download 5.11.5 Patch

% blesta-5.11.0-5.11.5.zip
5a6c872297624cd34dc64d5460f7946cf4b28ca29a5a89bec4ca2a951b2e5e6b

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Full Release Notes for 5.13.2

• [CORE-5619] - Generic Domains: .cl TLDs report as always available
• [CORE-5624] - Security Fix
• [CORE-5631] - CMS: Default URI shared between multiple companies
• [CORE-5660] - Amazon S3 vendor code update not shipping with Blesta
• [CORE-5661] - PostalMethods returns error, possible API change
• [CORE-5662] - Adding Payment accounts can result in an error
• [CORE-5665] - Security fix
• [CORE-5668] - Security fix
• [CORE-5669] - Investigate potential month date name display issues
• [CORE-5670] - Stripe Payments: Possible rounding bug
• [CORE-5671] - Invoice PDF’s do not observe the internationalization of dates
• [CORE-5678] - Clients attempting to use “Forgot Password” encounter a blank screen
• [CORE-5679] - Coupons no longer apply to config options when “Apply to Configurable Options” is checked
• [CORE-5680] - Security fix
• [CORE-5690] - Order: Limit keyword searches to spotlight TLDs

Resolution

• If you are running version 5.13.x, apply the 5.13.3 patch above.
• If you are running version 5.12.x, apply the 5.12.4 patch above.
• If you are running version 5.11.x, apply the 5.11.5 patch above.
• If you are running version 3.0.x through 5.10.x, upgrade to 5.13.3 Full.

Mitigation

It is best to upgrade to 5.13.3 or apply the appropriate patch. However, if you are running an affected unsupported version of Blesta (version 3.0 through 5.10), and you need more time to upgrade, it is possible to mitigate the most serious vulnerability for which we gave this an impact rating of Critical. If you have the 2Checkout payment gateway installed, update it to the latest version from the repository on GitHub: https://github.com/blesta/gateway-2checkout

Credits

Some of these issues were reported by Egidio Romano of Karma(In)Security in accordance with our Responsible Disclosure Policy. Other issues were discovered internally.

Blesta 5.13.1 Patch Released

We are pleased to announce the released of Blesta 5.13.1, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/support/releases/5/5131/.

Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0. If you are running an earlier version, you must download the full release.

Download 5.13.1 Patch Download 5.13.1 Full

SHA256 Sum

% blesta-5.13.1.zip
5421c8130275453dd2a73a43b50cd4cd188f3530c3c30c42cd306130482f67ec

% blesta-5.13.0-5.13.1.zip
c1303f2844f945176fb044a49862f94201cd21e7b438fc6a3386f8a7e9dfef1a

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Blesta 5.13 Released

Blesta 5.13 is now available!

This version brings powerful new features and improvements! Clients and staff can now upload profile pictures, and support tickets can be rated by clients. We’ve added step-up authentication for enhanced security, and invoices can now be generated in the digital format UBL XML. Domain management gets better with bulk name server updates and improved date syncing. The Import Manager has been enhanced to support non-owner user relationships from WHMCS. You can now requeue invoices for delivery after payment, clients can add additional recipients to tickets, contact log history is now visible on client profile pages, and much more!

SHA256 Sum

9808e19629ac9e89f5f0d3cfb229c7487a0a790117e72bbde936a7c697d622bf

ALWAYS BACKUP YOUR FILES + DATABASE PRIOR TO UPGRADING. Don’t forget to run /admin/upgrade in your browser or via CLI. If you need assistance upgrading, we can perform the upgrade for $45 just open a ticket from your account.

See the documentation for details on how to install or upgrade.

What’s new in 5.13?

• Added profile pictures for staff and clients.
• Added step-up authentication for enhanced security (See docs to disable).
• Added a ticket rating system for clients.
• Added the ability to generate invoices in the digital format UBL XML.
• Added the ability to requeue invoices for delivery after payment.
• Added contact log history visibility on client profiles.
• Added configurable option group import and export functionality.
• Added an option to hide pricing on zero cost configurable options.
• Added an option to prevent service module renewal prior to payment.
• Added merchant gateway migration support between different gateways.
• Added client credit configuration options to enable/disable credit and set maximum amounts.
• Added the language Português, PT pt_pt.
• Added a new Enhance shared hosting panel module.
• Updated the Domain Manager to support bulk name server updates and welcome emails.
• Updated the Domain Manager with improved expiration sync process.
• Updated the Domain Manager to allow keyword search for domains.
• Updated the Domain Manager with customizable auto-renewal notifications.
• Updated the Domain Manager to add a filter option for domains with price overrides.
• Updated the Domain Manager to show module management tabs when managing a domain.
• Updated the Order System to show monthly pricing discounts on pricing terms.
• Updated the Generic Domains module to include registration and renewal email notifications.
• Updated the Support Manager to allow clients to add recipients to tickets.
• Updated the Support Manager to allow tickets to be imported via OAuth2.
• Updated the Support Manager with a setting for Gravatar or custom Avatars.
• Updated the Support Manager to display staff member titles in their replies.
• Updated the Knowledge Base to allow batch updates for category accessibility.
• Updated the Namecheap module TLD list loading performance.
• Updated the Import Manager to support importing non-owner user relationships from WHMCS.
• Updated the Email blacklist to allow preventing outgoing messages to blacklisted addresses.
• Updated ISO code standardization for states and countries.
• Updated password requirements for clients in the settings.
• Updated automation tasks to allow selective execution.
• Updated internationalized calendar month names to match selected language.
• Updated webhook requests to be logged along with status.
• Updated to allow deletion of cancelled addons.

See our beta announcement for more and the release notes for everything.

Developers

• Added new events for Domain Manager, Order System, and Support Manager.
• Added configurable option group import/export functionality.
• Reminder: If you are a developer, we recommend updating your extensions to support PHP 8, including PHP 8.3 if they don’t already.

Sponsored Development

A big shout out to the following companies for sponsoring development for one or more items in this release. Show them some love.

• KnownHost
• Mynymbox

Sponsored development is a good way to support Blesta and get a shout out for your company! Interested? Reach out and say hello.

Stay Connected!

Like our Facebook page, join our Facebook group and Subreddit, follow us on Twitter, and join us in Discord.