Description
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
Published: 2026-05-19
Score: 9.5 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a failure in deserialization of session data in the web terminal component of HestiaCP 1.9.0–1.9.4, where HTTP headers crafted by an unauthenticated attacker are interpreted by the Node.js process as trusted session values. This mismatch between PHP and Node.js session handling allows the execution of arbitrary commands with root privileges on the host system.

Affected Systems

This flaw impacts clients running HestiaCP web control panels between version 1.9.0 and 1.9.4 that have the web terminal feature enabled. Systems without the web terminal or running later versions are not affected.

Risk and Exploitability

With a CVSS score of 9.5 the vulnerability is categorized as critical, and while no EPSS value is published, the absence of a KEV listing indicates no confirmed widespread exploitation as of now but the potential for unauthenticated remote code execution makes it a high‑risk issue. Attackers can achieve compromised hosts by submitting specially crafted HTTP headers without needing credentials.

Generated by OpenCVE AI on May 19, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HestiaCP to the latest stable release (v1.9.5 or newer) where the session mismatch is resolved.
  • Temporarily disable the web terminal feature on all affected instances until the patch is applied.
  • Configure the web server to reject unused or suspicious HTTP headers and restrict access to the web terminal to trusted IP ranges only.

Generated by OpenCVE AI on May 19, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Hestiacp
Hestiacp hestiacp
Vendors & Products Hestiacp
Hestiacp hestiacp

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
Title HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Hestiacp Hestiacp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-19T14:00:36.715Z

Reserved: 2026-05-01T18:22:45.641Z

Link: CVE-2026-43633

cve-icon Vulnrichment

Updated: 2026-05-19T13:59:11.216Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T14:16:43.460

Modified: 2026-05-19T14:43:04.157

Link: CVE-2026-43633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T14:45:07Z

Weaknesses