Deserialization Vulnerability in HestiaCP Web Terminal Component
CVE-2026-43633

9.5CRITICAL

Key Information:

Vendor: Hestiacp
Status: Hestiacp
Vendor: CVE Published:; 19 May 2026

Badges

👾 Exploit Exists

What is CVE-2026-43633?

HestiaCP versions 1.9.0 to 1.9.4 are affected by a deserialization vulnerability within the web terminal component. This flaw arises from a mismatch in session formats between PHP and Node.js, allowing unauthenticated remote attackers to exploit the system. By injecting malicious data into HTTP headers, attackers can manipulate the PHP session handler, leading to improper deserialization by the Node.js component. As a consequence, this could enable arbitrary command execution on systems where the web terminal feature is activated.

Affected Version(s)

hestiacp 1.9.0 <= 1.9.4

hestiacp 854d71b3c1737b0a0d0cc55c926008ffe1f6719b

References

https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip...

technical-descriptionexploit

https://github.com/hestiacp/hestiacp/issues/5229

issue-tracking

https://github.com/hestiacp/hestiacp/pull/5244

issue-tracking

CVSS V4

Score:

9.5

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 19, 2026
👾
Exploit known to exist
May 19, 2026
Vulnerability published
May 19, 2026
Vulnerability Reserved
May 1, 2026

Credit

sutol

divinity76

CVE-2026-43633 Data

JSON

Hestiacp

Badges

What is CVE-2026-43633?

Affected Version(s)

References

CVSS V4

Timeline

Credit