CVE-2026-43633
CRITICALHestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal
Title source: cnaDescription
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
References (5)
Core 5
Core References
Exploit technical-description
exploit
https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
Issue Tracking issue-tracking
https://github.com/hestiacp/hestiacp/issues/5229
Issue Tracking issue-tracking
https://github.com/hestiacp/hestiacp/pull/5244
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/hestiacp-deserialization-rce-via-web-terminal
Scores
CVSS v3
10.0
EPSS
0.0107
EPSS Percentile
60.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
hestiacp/hestiacp
1.9.0 - 1.9.4
hestiacp/hestiacp
854d71b3c1737b0a0d0cc55c926008ffe1f6719b
Published
May 19, 2026
Tracked Since
May 19, 2026