PatchSiren

hestiacp CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH hestiacp CVE published 2026-05-19

CVE-2026-43634

CVE-2026-43634 is a high-severity IP spoofing flaw in HestiaCP. According to the published description, affected versions 1.2.0 through 1.9.4 accept an arbitrary CF-Connecting-IP value without first verifying that the request actually came from Cloudflare. That breaks the trust model for client-IP handling and can let unauthenticated remote attackers bypass IP-based authentication controls, evade brute-fo [truncated]

CRITICAL hestiacp CVE published 2026-05-19

CVE-2026-43633

CVE-2026-43633 describes a critical deserialization weakness in HestiaCP’s web terminal feature affecting versions 1.9.0 through 1.9.4. The issue arises from a session format mismatch between PHP and Node.js: attacker-controlled data can be injected into HTTP headers, handled by the PHP session layer, and then incorrectly treated as trusted session content by the Node.js web terminal component. In the des [truncated]