PT-2026-41897 · Hestiacp · Hestiacp
Divinity76
+1
·
Published
2026-05-19
·
Updated
2026-05-26
·
CVE-2026-43633
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
HestiaCP versions 1.9.0 through 1.9.4
Description
A deserialization issue exists in the web terminal component due to a session format mismatch between PHP and Node.js. This allows unauthenticated remote attackers to achieve root-level code execution by injecting crafted data into HTTP headers. These headers are processed by the PHP session handler and incorrectly deserialized by the Node.js web terminal component as trusted session values, leading to arbitrary command execution on systems where the web terminal feature is enabled.
Recommendations
Update HestiaCP versions 1.9.0 through 1.9.4 to a patched version.
As a temporary workaround, disable the web terminal feature to minimize the risk of exploitation.
Exploit
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hestiacp