Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
AnalysisAI
Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.
Technical ContextAI
HestiaCP is an open-source Linux web hosting control panel. Its optional web terminal ships as a Node.js WebSocket server (src/deb/web-terminal/server.js) that reuses the PHP control panel's filesystem session store. The pre-patch Node.js code read /data/sessions/sess_<id> directly and extracted the authenticated username with brittle substring parsing such as session.split('user|s:')[1].split('"')[1] against PHP's serialized session format. Because PHP's session handler will persist attacker-controllable request data (notably the spoofable client IP/header values that PHP serializes into the session file) and the Node.js side never validated session integrity, an attacker can poison the serialized blob with synthetic 'user|s:' tokens that the Node parser treats as a trusted username, which is then passed into a shell command executed as root. This is a classic deserialization-trust-boundary failure (CWE-502) compounded by mixing two languages' session encodings. The fix replaces the ad-hoc string split with a dedicated PHP helper (web-terminal-session-auth.php) invoked via execFileSync that performs a proper session_start() and returns JSON, and additionally hardens cookie parsing so duplicate or malformed HESTIASID cookies are rejected.
RemediationAI
Upgrade HestiaCP to the version containing fix commit 854d71b3c1737b0a0d0cc55c926008ffe1f6719b (merged via PR https://github.com/hestiacp/hestiacp/pull/5244); a vendor-released patched build is available per the project's release channel, and operators should track the GitHub release tagged after 1.9.4 for the exact version string. Until the upgrade is applied, disable the web terminal feature in the HestiaCP admin panel - this fully eliminates the attack surface at the cost of removing browser-based shell access for administrators. As a partial network-layer compensating control, restrict access to the HestiaCP management port (default 8083) and the web terminal WebSocket endpoint to a trusted management VLAN or VPN using iptables/ufw, accepting the trade-off that admins lose remote console access from arbitrary networks. Review the VulnCheck advisory (https://www.vulncheck.com/advisories/hestiacp-deserialization-rce-via-web-terminal) and the upstream issue (https://github.com/hestiacp/hestiacp/issues/5229) for detection guidance; note that CVE-2026-43634 (IP spoofing) is referenced alongside this issue and should be remediated together.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30933
GHSA-p57r-8pg4-2892