Which versions of HestiaCP are affected by CVE-2026-43633?

HestiaCP versions 1.9.0 through 1.9.4 contain a critical vulnerability in the web terminal feature that allows unauthenticated remote attackers to achieve root-level command execution without…. A patch is available.

HestiaCP CVE-2026-43633

Q: What is the CVSS score of CVE-2026-43633?

CVE-2026-43633 has a CVSS 4.0 base score of 9.5 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-30933 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-05-19 VulnCheck

GHSA-p57r-8pg4-2892

PHP RCE Deserialization Node.js

9.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 19, 2026 - 14:30 vuln.today

Analysis Generated

May 19, 2026 - 14:30 vuln.today

CVSS changed

May 19, 2026 - 14:22 NVD

10.0 (CRITICAL) 9.5 (CRITICAL)

DescriptionNVD

HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.

AnalysisAI

Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.

RemediationAI

Within 24 hours: Identify all systems running HestiaCP 1.9.0-1.9.4 and determine which have the web terminal feature enabled. Within 7 days: Deploy the vendor patch for CVE-2026-43633 across all affected instances, or disable the web terminal feature as an interim measure. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43633 vulnerability details – vuln.today

Back

HestiaCP CVE-2026-43633

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

HestiaCP CVE-2026-43633

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code