CVE-2026-12196 is a high-severity broken access control vulnerability in the HestiaCP panel cronjob feature. According to the provided content, a low-privilege user can modify the panel cronjob in a way that causes HestiaCP management scripts to be executed with passwordless sudo. This creates a privilege boundary failure between low-privileged panel users and privileged HestiaCP administrative or system-level operations. Successful exploitation can enable an attacker to leverage trusted management-script execution paths to escalate privileges, leading to administrator takeover within the HestiaCP application and compromise of the underlying webserver. The specific vulnerable function or code path is not provided in the available content.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A broken access control vulnerability in the HestiaCP panel cronjob feature that allows low-privilege users to modify cronjob behavior and execute HestiaCP management scripts with passwordless sudo, potentially leading to administrator takeover and compromise of the underlying webserver.
A broken authorization vulnerability in HestiaCP that allows a low-privileged user to modify privileged panel cron jobs, leading to admin account takeover and effective remote code execution via passwordless sudo-accessible administrative scripts.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.