Security Advisory

May 18, 2026
Paul

Several security issues affecting Blesta versions 3.0.0 through 5.13.7 have been identified. Patches are being released for the 5.12 and 5.13 branches.

These include an authorization issue, a low-severity enumeration issue on a public endpoint (no customer or account data is exposed), an inbound email header parsing issue in the Support Manager, two issues that could allow code execution by a caller already holding valid API credentials, a password-reset flow issue that could weaken account protections under specific conditions, and additional hardening to CSRF token verification and the Uploads component. Individual issues range in severity, but we give this an overall impact rating of High based on the most severe issue. We recommend applying the appropriate patch for your release, or upgrading to version 5.13.8 as soon as possible.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 3.0 and 5.10, upgrade to 5.13.8.

Downloads

Download 5.13.8 Patch Download 5.13.8 Full

% blesta-5.13.8.zip
b88fc1dc765f335ffb79155b0b8d606fad79924e7842fd94bc827ea4a0e12d15

% blesta-5.13.0-5.13.8.zip
9f3b93080020359a3818ca7ac64ab8cfb084d7c60571bdb58258d742be989d62

Download 5.12.5 Patch

% blesta-5.12.0-5.12.5.zip
553fcd4e54526f8798bb04b6ba87861509d6690c1f8f95329f8ba7d1707e05d6

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Full Release Notes for 5.13.8

  • [CORE-5912] - Cancel options not available if there are any open invoices
  • [CORE-5927] - Security fix
  • [CORE-5928] - Security fix
  • [CORE-5929] - Security fix
  • [CORE-5935] - Security fix
  • [CORE-5936] - Fix an issue with expired coupons
  • [CORE-5944] - Security fix
  • [CORE-5945] - Security fix
  • [CORE-5947] - Security fix
  • [CORE-5953] - Security fix
  • [CORE-5956] - Quotations::getAll() does not support a status of ‘all’

Resolution

  • If you are running version 5.13.x, apply the 5.13.8 patch above.
  • If you are running version 5.12.x, apply the 5.12.5 patch above.
  • If you are running version 3.0.x through 5.11.x, upgrade to 5.13.8 Full.

Mitigation

It is best to apply the appropriate patch or upgrade to 5.13.8 as soon as possible. If you need more time before patching, the following interim measures reduce exposure for two of the issues:

  • Audit your API keys. Go to Settings → Company → API Access and disable or remove any keys belonging to retired integrations, test accounts, or applications you do not fully trust. Rotate any keys that may have been exposed in deploy scripts, source repositories, or .env files. The two API-reachable code execution issues in this release require a valid API key, so reducing the number of active keys reduces the attack surface.
  • If you do not use the Support Manager’s inbound email-to-ticket feature, disable it. Go to Support → Departments → Edit and update “Email Handling” to None. One issue in this release affects how inbound email headers are parsed; if you are not pulling mail into Blesta, this code path is not reached.

Note on API-reachable issues

Two of the issues addressed in this release are reachable only by a caller that already holds valid Blesta API credentials. As documented, the Blesta API grants full administrative access to the installation — any valid API credentials can call every public model method in Blesta core and in installed extensions. API credentials should be treated accordingly and only used from fully trusted, first-party applications. If you need a narrower or purpose-built interface for an untrusted client or third-party integration, build it as a plugin that exposes its own endpoint rather than calling the core API directly. These issues are still being patched because the gap between “holds an API key” and “executes code on the host” should not exist, but they are not reachable by an unauthenticated attacker.

Credits

Five of these issues were reported by Curtis at Terabit in accordance with our Responsible Disclosure Policy. The remaining issues were discovered internally.


Blesta 6 Preview: Part 2

May 4, 2026
Paul

In our last preview we walked through the new admin experience in Blesta 6. This time we’re focusing on two more major updates — AI features built right into the platform, and a much better Support Manager. This is the first time we’re talking about AI in Blesta publicly, but there’s more we haven’t covered here.

AI: Content Generation

In Blesta 6, you can generate content right where you need it. Need a package description? Describe what the package offers, and Blesta AI will draft it for you. The same works for HTML email templates — give it a rough idea, or rewrite an existing template, and it generates clean, styled HTML you can customize from there. The model understands available tags, filters, and loops, so the output is useful right away. It works great as a starting point.

AI: Chatbot in the Admin Panel

The AI assistant lives right in the admin panel, accessible from the icon bar. You can ask general questions, but what makes it really useful are the prompt mode cards.

  • Custom Report mode generates SQL queries for you. Describe the report you want, and it builds a query you can drop straight into a custom report — fields and all. You don’t need to dig through the database schema yourself; the assistant understands Blesta’s reporting structure.
  • API Query mode writes ready-to-use API calls — in curl or PHP — based on your Blesta API. Need to automate something? Describe it, and you’ve got working code.
  • Developer Help mode helps you write module and plugin code. It understands Blesta’s architecture and can generate scaffolding you can copy into your project.

All of this is optional. Access can be granted by staff group, and you can hide the AI icon from your icon bar settings if you don’t plan to use it, but we think you’ll want to.

AI: Support Manager Integration

Where AI really shines is in the Support Manager. Support replies can be long. Instead of reading through every detail up front, summarize a reply in one click — start with the summary, then skim the full reply when you need more detail.

Summaries are nice, but here’s where it gets powerful. In settings, you control how much autonomy Blesta AI has. Below your confidence threshold, it drafts a reply for staff to review. Above it, the reply can be sent automatically.

Picture how that plays out: a client opens a new ticket, it shows up in the queue, AI drafts a reply, sends it, and the ticket transitions to “Awaiting Client Reply” — no staff involvement. It can also adjust priority along the way, so an “EMERGENCY” that isn’t really an emergency ends up at the right priority. When the client replies to confirm, AI can recognize the issue is resolved and close the ticket. From open to resolved, no human in the loop, not on your side.

Start conservative, monitor the replies, tune your system prompt, and remove the Human Review requirement when you’re ready. Replies are just one piece — AI can also use tools to close tickets, change priority, or assign them to the right staff member, all based on the rules you define. Between the replies, the tools, and the confidence controls, this isn’t just AI assistance — it’s a configurable first line of support. Common questions get answered faster, while your staff focus on the critical issues that Blesta AI doesn’t have the confidence level required to respond to on its own.

Support Manager: Workflow Improvements

Beyond AI, the Support Manager itself has been reworked. The ticket listing has a brand new filter sidebar — filter by department, status, priority, or assigned staff, all from the sidebar. It makes a busy queue much easier to work through, especially when you’re handling dozens or hundreds of open tickets.

The ticket view has been restructured too. Ticket details — department, priority, assigned staff, client info — now live in a sidebar on the left. That keeps the reply box near the top of the page instead of pushing it below a wall of metadata. You see the conversation, and you can start typing immediately. If you use pre-defined responses, Ctrl+Shift+R opens the response picker without reaching for the mouse — use the arrow keys, choose a response, and keep moving. For teams that handle a high volume of tickets, these workflow improvements add up fast.

The soundtrack to Blesta AI

Every leap forward deserves its own soundtrack. Following “Paradigm,” here’s the full, original track for Blesta AI — give it a listen:

Billing Brawlers · Blesta AI

What’s Next

With Blesta AI enabled, Blesta can summarize tickets, draft replies, send approved responses, and use configurable tools — all inside a Support Manager that’s more powerful than ever. Pair that with the new admin experience we previewed last time, and you’ve got Blesta 6. We can’t wait to get it into your hands. Beta 1 is right around the corner, and we will need your help to test it.

Stay Connected!

Like our Facebook page, join our Facebook group and Subreddit, follow us on Twitter, and join us in Discord.


Blesta 5.13.7 Patch Released

April 27, 2026
Paul

We are pleased to announce the release of Blesta 5.13.7, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/support/releases/5/5137/.

Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, 5.13.5, or 5.13.6. If you are running an earlier version, you must download the full release.

Download 5.13.7 Patch Download 5.13.7 Full

SHA256 Sum

% blesta-5.13.7.zip
675b04404e61eae3dbf4725d854cf619f07502f65634ede33fb9b48c58ba299b

% blesta-5.13.0-5.13.7.zip
2544cc3edc2b399680534603417d3c441041cc559b332369f46b1a3fc33f0816

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.


Blesta 6 Preview: Part 1

April 16, 2026
Paul

In December we gave you a first look at the new Blesta 6 admin UI. That video was a design preview. This one is the real thing. Blesta 6 isn’t just a facelift. The entire admin panel has been re-imagined with a new framework, new layout, and new workflows. This is our biggest update since version 3, by far — tens of thousands of lines of code.

Dashboard

The dashboard will feel familiar, but the design is a big step forward. Everything is cleaner, faster, and easier to read. And yes – full dark mode across every page, every widget, every plugin. Toggle between light and dark with a single click.

Navigation has moved to the left, giving you more vertical space to work with. Two new bars round out the experience: a top bar for search, notifications, and quick actions, and a customizable icon bar on the left. The icon bar supports drag-and-drop reordering, any Bootstrap icon, and custom links to wherever you need. Set it up the way you work and you may rarely need the main nav at all.

Client Profile

Use Ctrl+K to search and jump to any client instantly. The client profile has been overhauled — panels open smoothly and remember their state between visits. A new bulk actions bar makes managing services faster, and Quick Jump lets you skip straight to the section you need. Pinned notes are displayed right on the profile, perfect for things your team needs to see at a glance.

Configurable Options

Configurable options have been completely redesigned. Drag and drop to reorder. Filter options by keyword, then copy and paste them between groups. What used to take minutes of re-entry now takes seconds.

Settings & Search

Settings are now accessed from the bottom of the icon bar. Step-up authentication, introduced in 5.13, has been refined — sessions can be extended so you’re not constantly re-authenticating, and a visual timer appears as a badge when there’s less than 5 minutes remaining. Need to find something specific? Search the settings nav and it filters in real time as you type. The navigation editor supports drag-and-drop reordering and custom icons so you can tailor the admin experience for your team.

Real-Time Notifications

A brand new notification system surfaces orders, support tickets, and other events as real-time notifications. Stay on top of what matters without refreshing the page.

We’ve only scratched the surface here. There’s a lot more to show off, and our next video will cover some of the new features coming to version 6 as we get closer to release.

Stay Connected!

Like our Facebook page, join our Facebook group and Subreddit, follow us on Twitter, and join us in Discord.


Blesta 5.13.6 Patch Released

March 23, 2026
Paul

We are pleased to announce the release of Blesta 5.13.6, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/support/releases/5/5136/.

Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, or 5.13.5. If you are running an earlier version, you must download the full release.

Download 5.13.6 Patch Download 5.13.6 Full

SHA256 Sum

% blesta-5.13.6.zip
36d30707d3af3bbce969bd60358796425a085c40ac466cab8bbf8c7e2b7a40c5

% blesta-5.13.0-5.13.6.zip
c0d2919403d63bcb0cca98ad43cc5c56b2c82d2c130082a6a86d6ab1fca204ff

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.


Top