Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665.

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680.