divinity76

3 exploits Active since May 2025
CVE-2026-43633 WRITEUP CRITICAL WRITEUP
HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
CVSS 10.0
CVE-2026-43634 WRITEUP HIGH WRITEUP
HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
CVSS 7.5
CVE-2025-48883 WRITEUP MEDIUM WRITEUP
chrome-php/chrome < 1.14.0 - Cross-Site Scripting via CSS Selector Expression
Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS (cross-site scripting) vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding manually to their selectors if they are unable to upgrade.