CVE-2026-43633CRITICAL 10.0EPSS p60.5%

CVE-2026-43633CVE-2026-43633

Description

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS1.07% probability of exploitation · percentile 60.5% · 2026-06-19T12:03:05Z
Published2026-05-19
Last modified2026-05-19

Underlying weaknesses· 1

CWE-502

References

  1. https://github.com/hestiacp/hestiacp/commit/854d71b3c1737b0a0d0cc55c926008ffe1f6719b
  2. https://github.com/hestiacp/hestiacp/issues/5229
  3. https://github.com/hestiacp/hestiacp/pull/5244
  4. https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
  5. https://www.vulncheck.com/advisories/hestiacp-deserialization-rce-via-web-terminal

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23702
CVE
CVE-2026-42471
CVE
CVE-2025-41734
CVE
CVE-2026-49957
CVE
CVE-2025-61492
CVE
CVE-2026-22903
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.