Blesta 5.13.3 Patch Released
We are pleased to announce the released of Blesta 5.13.3, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!
The release notes are available at https://docs.blesta.com/support/releases/5/5133/.
Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, or 5.13.2. If you are running an earlier version, you must download the full release.
Download 5.13.3 Patch Download 5.13.3 Full
SHA256 Sum
% blesta-5.13.3.zip
6a58da9013f86b43fbd94210198c003159bd7c1e351bdb845e5865bc4ab967be
% blesta-5.13.2-5.13.3.zip
4c63bfc7c7968207e6092d016c8e416ed1fc8f3c8c2de6bf5363be6a54e625f9
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Related Tags:
Security Advisory
Several security issues affecting Blesta versions 3.0.0 through 5.13.1 have been identified.
An input validation vulnerability (CORE-5665) and object injection vulnerabilities (CORE-5668, CORE-5680) have been discovered. One of these vulnerabilities could potentially allow remote code execution under certain conditions. We recommend applying the appropriate patch for your release, or upgrading to version 5.13.3 as soon as possible. We give this an impact rating of Critical.
Update (January 31, 2026): Version 5.13.3 has been released to address regressions introduced in 5.13.2. Please use 5.13.3 instead of 5.13.2 for both full and patch downloads.
More information about how we rate vulnerabilities can be found on our Security Advisories page.
Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 3.0 and 5.10, upgrade to 5.13.3.
Downloads
Download 5.13.3 Patch Download 5.13.3 Full
% blesta-5.13.3.zip
6a58da9013f86b43fbd94210198c003159bd7c1e351bdb845e5865bc4ab967be
% blesta-5.13.0-5.13.3.zip
4c63bfc7c7968207e6092d016c8e416ed1fc8f3c8c2de6bf5363be6a54e625f9
% blesta-5.12.0-5.12.4.zip
2bd8d7819f7b528c0b15f44e9f7c9e591515e1a9933fd029f65d0e16989f53ce
% blesta-5.11.0-5.11.5.zip
5a6c872297624cd34dc64d5460f7946cf4b28ca29a5a89bec4ca2a951b2e5e6b
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Full Release Notes for 5.13.2
- [CORE-5619] - Generic Domains: .cl TLDs report as always available
- [CORE-5624] - Security Fix
- [CORE-5631] - CMS: Default URI shared between multiple companies
- [CORE-5660] - Amazon S3 vendor code update not shipping with Blesta
- [CORE-5661] - PostalMethods returns error, possible API change
- [CORE-5662] - Adding Payment accounts can result in an error
- [CORE-5665] - Security fix
- [CORE-5668] - Security fix
- [CORE-5669] - Investigate potential month date name display issues
- [CORE-5670] - Stripe Payments: Possible rounding bug
- [CORE-5671] - Invoice PDF’s do not observe the internationalization of dates
- [CORE-5678] - Clients attempting to use “Forgot Password” encounter a blank screen
- [CORE-5679] - Coupons no longer apply to config options when “Apply to Configurable Options” is checked
- [CORE-5680] - Security fix
- [CORE-5690] - Order: Limit keyword searches to spotlight TLDs
Resolution
- If you are running version 5.13.x, apply the 5.13.3 patch above.
- If you are running version 5.12.x, apply the 5.12.4 patch above.
- If you are running version 5.11.x, apply the 5.11.5 patch above.
- If you are running version 3.0.x through 5.10.x, upgrade to 5.13.3 Full.
Mitigation
It is best to upgrade to 5.13.3 or apply the appropriate patch. However, if you are running an affected unsupported version of Blesta (version 3.0 through 5.10), and you need more time to upgrade, it is possible to mitigate the most serious vulnerability for which we gave this an impact rating of Critical. If you have the 2Checkout payment gateway installed, update it to the latest version from the repository on GitHub: https://github.com/blesta/gateway-2checkout
Credits
Some of these issues were reported by Egidio Romano of Karma(In)Security in accordance with our Responsible Disclosure Policy. Other issues were discovered internally.