Blesta logo
 Get Started

Security Advisory

January 28, 2026
Paul

Several security issues affecting Blesta versions 4.0.0 through 5.13.1 have been identified.

An input validation vulnerability (CORE-5665) and object injection vulnerabilities (CORE-5668, CORE-5680) have been discovered. One of these vulnerabilities could potentially allow remote code execution under certain conditions. We recommend applying the appropriate patch for your release, or upgrading to version 5.13.2 as soon as possible. We give this an impact rating of Critical.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 3.0 and 5.10, upgrade to 5.13.2.

Downloads

Download 5.13.2 Patch Download 5.13.2 Full 

% blesta-5.13.2.zip
f443a4980b68975038565739c9f324800d932c8ceda7a5c35cc1577f89f1c288

% blesta-5.13.0-5.13.2.zip
2985d2dfe85d406c532d89873136ab0ae09fe9633cc730d1e2e7d0f5e1b0fc89

Download 5.12.4 Patch 

% blesta-5.12.0-5.12.4.zip
2bd8d7819f7b528c0b15f44e9f7c9e591515e1a9933fd029f65d0e16989f53ce

Download 5.11.5 Patch 

% blesta-5.11.0-5.11.5.zip
5a6c872297624cd34dc64d5460f7946cf4b28ca29a5a89bec4ca2a951b2e5e6b

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Full Release Notes for 5.13.2

  • [CORE-5619] - Generic Domains: .cl TLDs report as always available
  • [CORE-5624] - Security Fix
  • [CORE-5631] - CMS: Default URI shared between multiple companies
  • [CORE-5660] - Amazon S3 vendor code update not shipping with Blesta
  • [CORE-5661] - PostalMethods returns error, possible API change
  • [CORE-5662] - Adding Payment accounts can result in an error
  • [CORE-5665] - Security fix
  • [CORE-5668] - Security fix
  • [CORE-5669] - Investigate potential month date name display issues
  • [CORE-5670] - Stripe Payments: Possible rounding bug
  • [CORE-5671] - Invoice PDF’s do not observe the internationalization of dates
  • [CORE-5678] - Clients attempting to use “Forgot Password” encounter a blank screen
  • [CORE-5679] - Coupons no longer apply to config options when “Apply to Configurable Options” is checked
  • [CORE-5680] - Security fix
  • [CORE-5690] - Order: Limit keyword searches to spotlight TLDs

Resolution

  • If you are running version 5.13.x, apply the 5.13.2 patch above.
  • If you are running version 5.12.x, apply the 5.12.4 patch above.
  • If you are running version 5.11.x, apply the 5.11.5 patch above.
  • If you are running version 3.0.x through 5.10.x, upgrade to 5.13.2 Full.

Mitigation

It is best to upgrade to 5.13.2 or apply the appropriate patch. However, if you are running an affected unsupported version of Blesta (version 4.0 through 5.10), and you need more time to upgrade, it is possible to mitigate the most serious vulnerability for which we gave this an impact rating of Critical. If you have the 2Checkout payment gateway installed, update it to the latest version from the repository on GitHub: https://github.com/blesta/gateway-2checkout

Credits

Some of these issues were reported by Egidio Romano of Karma(In)Security in accordance with our Responsible Disclosure Policy. Other issues were discovered internally.

Related Tags:
Top