HestiaCP Web Terminal RCE: Critical Deserialization Vulnerability

/CRITICAL /CVSS 10/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycode-executioncwe-502
HestiaCP Web Terminal RCE: Critical Deserialization Vulnerability

The National Vulnerability Database has disclosed CVE-2026-43633, a critical deserialization vulnerability impacting HestiaCP versions 1.9.0 through 1.9.4. This flaw, rated 10.0 CVSS, resides in the web terminal component and allows unauthenticated remote attackers to achieve root-level code execution.

The vulnerability stems from a session format mismatch between PHP and Node.js components. Attackers can inject crafted data into HTTP headers. This data is processed by the PHP session handler but then incorrectly deserialized by the Node.js web terminal as trusted session values, leading directly to arbitrary command execution on systems where the web terminal feature is enabled.

This is a full-chain RCE from an unauthenticated, remote attacker. The implications are severe: complete system compromise without any prior access. Defenders must recognize that enabling a web terminal, while convenient, significantly expands the attack surface if not meticulously secured. This isn’t just a bug; it’s a fundamental design flaw in session handling across different environments, and it’s exactly the kind of cross-component interaction that attackers constantly probe.

What This Means For You

  • If your organization uses HestiaCP, immediately check your version. If you are running affected versions (1.9.0-1.9.4) and have the web terminal enabled, you are at extreme risk. Patch or disable the web terminal component *now*. Assume compromise if this feature was exposed to the internet.

Indicators of Compromise

IDTypeIndicator
CVE-2026-43633 Vulnerability CVE-2026-43633

Written by SCW Vulnerability Desk

🔎
Track HestiaCP Vulnerabilities Use /brief to get an analyst-ready weekly threat summary, including critical vulnerabilities like CVE-2026-43633.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma