Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.5
CVE-2026-43633: HestiaCP Web Terminal Session Format Mismatch Allows Root Access
CVE-2026-43633
Summary
HestiaCP versions 1.9.0 to 1.9.4 have a security weakness in the web terminal. Attackers can exploit this weakness to gain full control over a system with the web terminal feature enabled. To protect your system, update to a fixed version of HestiaCP as soon as possible.
Original title
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated r...
Original description
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
nvd CVSS3.1
10.0
nvd CVSS4.0
9.5
Vulnerability type
CWE-502
Deserialization of Untrusted Data
- https://github.com/hestiacp/hestiacp/commit/854d71b3c1737b0a0d0cc55c926008ffe1f6...
- https://github.com/hestiacp/hestiacp/issues/5229
- https://github.com/hestiacp/hestiacp/pull/5244
- https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-4363...
- https://www.vulncheck.com/advisories/hestiacp-deserialization-rce-via-web-termin...
Published: 19 May 2026 · Updated: 28 May 2026 · First seen: 19 May 2026