Deserialization in Hestiacp
CVE-2026-43633
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code…
Vulnerability class: Insecure Deserialization
EPSS: 0.002 (42.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Hestiacp — versions 1.9.0, 854d71b3c1737b0a0d0cc55c926008ffe1f6719b
Weakness classification (CWE)
References
- disclosure@vulncheck.com (issue-tracking, technical-description, exploit)
- disclosure@vulncheck.com (issue-tracking)
- disclosure@vulncheck.com (issue-tracking, patch)
- disclosure@vulncheck.com (patch)
- disclosure@vulncheck.com (third-party-advisory)
Frequently asked questions
- What is CVE-2026-43633?
- CVE-2026-43633 is a critical-severity vulnerability in Hestiacp, classified under Deserialization of Untrusted Data. CVSS score: 10.0/10. Published 2026-05-19.
- How severe is CVE-2026-43633?
- Critical severity. CVSS v3 base score is 10.0 out of 10.