CVE-2026-43634 is a high-severity IP spoofing flaw in HestiaCP. According to the published description, affected versions 1.2.0 through 1.9.4 accept an arbitrary CF-Connecting-IP value without first verifying that the request actually came from Cloudflare. That breaks the trust model for client-IP handling and can let unauthenticated remote attackers bypass IP-based authentication controls, evade brute-fo [truncated]
CVE-2026-43633 describes a critical deserialization weakness in HestiaCP’s web terminal feature affecting versions 1.9.0 through 1.9.4. The issue arises from a session format mismatch between PHP and Node.js: attacker-controlled data can be injected into HTTP headers, handled by the PHP session layer, and then incorrectly treated as trusted session content by the Node.js web terminal component. In the des [truncated]