CRITICAL
hestiacp
CVE published 2026-05-19
CVE-2026-43633
CVE-2026-43633 describes a critical deserialization weakness in HestiaCP’s web terminal feature affecting versions 1.9.0 through 1.9.4. The issue arises from a session format mismatch between PHP and Node.js: attacker-controlled data can be injected into HTTP headers, handled by the PHP session layer, and then incorrectly treated as trusted session content by the Node.js web terminal component. In the des [truncated]