HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal_CVE-2026-43633

9.5 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.

AI Analysis

Deserialization vulnerability in HestiaCP's web terminal component allows unauthenticated remote attackers to achieve root-level code execution.

Basic Information

ID CVE-2026-43633

Source VulnCheck

Published May 19, 2026 at 13:29

Modified May 19, 2026 at 14:00

Affected Product

Vendor hestiacp

Product hestiacp

Version 1.9.0

Affected Versions hestiacp hestiacp 1.9.0

CWE Classification

CWE-502

AI Assessment

AI Score 9.5 / 10

AI Severity Critical

Vendor HestiaCP

Product HestiaCP

Version 1.9.0-1.9.4

References

{
    "lastseen": "",
    "description": "HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.",
    "published": "2026-05-19T13:29:55.780Z",
    "modified": "2026-05-19T14:00:36.715Z",
    "type": "cve",
    "title": "HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal",
    "source": "VulnCheck",
    "references": "https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634\nhttps://github.com/hestiacp/hestiacp/issues/5229\nhttps://github.com/hestiacp/hestiacp/pull/5244\nhttps://github.com/hestiacp/hestiacp/commit/854d71b3c1737b0a0d0cc55c926008ffe1f6719b\nhttps://www.vulncheck.com/advisories/hestiacp-deserialization-rce-via-web-terminal",
    "id": "CVE-2026-43633",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "hestiacp hestiacp 1.9.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.5,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "hestiacp",
    "version": "1.9.0",
    "vendor": "hestiacp",
    "ai_description": "Deserialization vulnerability in HestiaCP's web terminal component allows unauthenticated remote attackers to achieve root-level code execution.",
    "ai_severity": "Critical",
    "ai_vendor": "HestiaCP",
    "ai_product": "HestiaCP",
    "ai_version": "1.9.0-1.9.4",
    "ai_score": 9.5
}