2 matches found
CVE-2026-43634
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...
CVE-2026-43633
CVE-2026-43633 affects HestiaCP versions 1.9.0–1.9.4, where a deserialization vulnerability in the web terminal component is caused by a session format mismatch between PHP and Node.js. Unauthenticated remote attackers can trigger root‑level code execution by injecting crafted data into HTTP head...