CVE-2026-43634

🗓️ 19 May 2026 13:33:08Reported by VulnCheckType

HestiaCP 1.2.0–1.9.4 allows IP spoofing via the Connecting IP header, enabling unauthenticated bypass of authentication, fail2ban, and allowlists, and logs spoofing.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-43634	19 May 202613:33	–	attackerkb
Circl	CVE-2026-43634	19 May 202617:49	–	circl
CNNVD	HestiaCP 安全漏洞	19 May 202600:00	–	cnnvd
Cvelist	CVE-2026-43634 HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header	19 May 202613:33	–	cvelist
EUVD	EUVD-2026-30933	19 May 202613:29	–	euvd
EUVD	EUVD-2026-30935	19 May 202613:33	–	euvd
NVD	CVE-2026-43634	19 May 202615:16	–	nvd
Positive Technologies	PT-2026-41897	19 May 202600:00	–	ptsecurity
Positive Technologies	PT-2026-41935	19 May 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-43634 HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header	19 May 202613:33	–	vulnrichment

Vulners

Node

hestiacp hestiacpRange1.2.0–1.9.4

[
  {
    "vendor": "hestiacp",
    "product": "hestiacp",
    "repo": "https://github.com/hestiacp/hestiacp",
    "versions": [
      {
        "status": "affected",
        "version": "1.2.0",
        "lessThanOrEqual": "1.9.4",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "f381e294500f671cf12716c638afd0bfde901f88",
        "versionType": "git"
      }
    ],
    "defaultStatus": "affected"
  }
]

Source	Link
vulncheck	www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header
github	www.github.com/hestiacp/hestiacp/pull/5273
github	www.github.com/hestiacp/hestiacp/issues/5229
github	www.github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88
mercuryiss	www.mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634

19 May 2026 17:57Current

6Medium risk

Vulners AI Score6

CVSS 3.17.5

CVSS 48.7

EPSS0.00057

SSVC

CWE-348