PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43633 hestiacp CVE debrief

CVE-2026-43633 describes a critical deserialization weakness in HestiaCP’s web terminal feature affecting versions 1.9.0 through 1.9.4. The issue arises from a session format mismatch between PHP and Node.js: attacker-controlled data can be injected into HTTP headers, handled by the PHP session layer, and then incorrectly treated as trusted session content by the Node.js web terminal component. In the described impact, this can enable unauthenticated remote code execution with root-level consequences when the web terminal is enabled.

Vendor
hestiacp
Product
Unknown
CVSS
CRITICAL 9.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

HestiaCP administrators and operators running versions 1.9.0 through 1.9.4, especially systems exposing the web terminal feature to untrusted networks. Security teams responsible for internet-facing control panels should treat this as urgent.

Technical summary

The vulnerability is a CWE-502 deserialization issue in a multi-language session handling path. According to the source description, crafted HTTP header input can survive PHP-side processing and later be deserialized by the Node.js web terminal as if it were trusted session state. That trust boundary failure can lead to arbitrary command execution. The source record also shows HestiaCP-related remediation activity in a commit, issue, and pull request.

Defensive priority

Critical. Prioritize immediate exposure reduction and patching for any HestiaCP deployment that has the web terminal enabled or reachable from untrusted networks.

Recommended defensive actions

  • Identify all HestiaCP deployments and confirm whether versions 1.9.0 through 1.9.4 are in use.
  • Apply the vendor fix associated with the referenced HestiaCP commit/pull request as soon as it is available in your release channel.
  • Disable or restrict the web terminal feature until patched, especially on internet-exposed systems.
  • Review access logs and web terminal activity for suspicious requests involving unusual HTTP headers or unexpected session behavior.
  • Limit administrative panel exposure to trusted networks and require strong authentication on all management interfaces.
  • After remediation, verify the deployed version and configuration state to ensure the vulnerable code path is no longer reachable.

Evidence notes

The CVE record published by NVD on 2026-05-19 is marked Deferred in the supplied source metadata. The supplied description attributes the flaw to HestiaCP versions 1.9.0 through 1.9.4 and identifies a PHP/Node.js session deserialization mismatch as the root cause. Referenced remediation and discussion links point to HestiaCP repository activity and related advisories. Vendor attribution in the supplied metadata is inconsistent, so the product name should be treated as the more reliable indicator here.

Official resources

Published 2026-05-19. The supplied NVD metadata marks the record as Deferred, and the references indicate HestiaCP-related remediation and advisory material. No KEV listing is provided in the source corpus.