CVE-2026-43633 HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal

🗓️ 19 May 2026 13:29:55Reported by VulnCheckType

HestiaCP 1.9.0–1.9.4 has a deserialization RCE via the web terminal due to PHP and Node.js session mismatch.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-43633	19 May 202613:29	–	attackerkb
Circl	CVE-2026-43633	22 Jun 202600:36	–	circl
CNNVD	HestiaCP 代码问题漏洞	19 May 202600:00	–	cnnvd
CVE	CVE-2026-43633	19 May 202613:29	–	cve
EUVD	EUVD-2026-30933	19 May 202613:29	–	euvd
EUVD	EUVD-2026-30935	19 May 202613:33	–	euvd
NVD	CVE-2026-43633	19 May 202614:16	–	nvd
Positive Technologies	PT-2026-41897	19 May 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-43633 HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal	19 May 202613:29	–	vulnrichment

[
  {
    "vendor": "hestiacp",
    "product": "hestiacp",
    "repo": "https://github.com/hestiacp/hestiacp",
    "versions": [
      {
        "status": "affected",
        "version": "1.9.0",
        "lessThanOrEqual": "1.9.4",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "854d71b3c1737b0a0d0cc55c926008ffe1f6719b",
        "versionType": "git"
      }
    ],
    "defaultStatus": "affected"
  }
]

Source	Link
mercuryiss	www.mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
github	www.github.com/hestiacp/hestiacp/issues/5229
github	www.github.com/hestiacp/hestiacp/commit/854d71b3c1737b0a0d0cc55c926008ffe1f6719b
vulncheck	www.vulncheck.com/advisories/hestiacp-deserialization-rce-via-web-terminal
github	www.github.com/hestiacp/hestiacp/pull/5244

19 May 2026 13:34Current

CVSS 49.5

CVSS 3.110

EPSS0.01072

CWE-502