CVE-2026-43633— HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43633
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal
Source: NVD (National Vulnerability Database)
Vulnerability Description
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
HestiaCP 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
HestiaCP是一个适用于现代网络的轻量级且功能强大的控制面板。 HestiaCP 1.9.0版本至1.9.4版本存在代码问题漏洞,该漏洞源于Web终端组件中存在反序列化,允许未经身份验证的远程攻击者实现root级代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-43633
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCVerified env Premium
Qwen3.6-35B-A3B · 13117 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-43633
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-43633 (2)
Security Blog Posts for CVE-2026-43633 (1)
Other References for CVE-2026-43633 (2)
IV. Related Vulnerabilities
Same vendor: hestiacp
- CVE-2026-43634
HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header - CVE-2023-5839
Privilege Chaining in hestiacp/hestiacp - CVE-2023-4517
Cross-site Scripting (XSS) - Stored in hestiacp/hestiacp - CVE-2023-5084
Cross-site Scripting (XSS) - Reflected in hestiacp/hestiacp - CVE-2023-3479
Cross-site Scripting (XSS) - Reflected in hestiacp/hestiacp
Same weakness: CWE-502
- CVE-2026-9497
changmingxie tcc-transaction Fastjson AutoType REST API Fast - CVE-2026-41104
Microsoft Planetary Computer Pro Information Disclosure Vuln - CVE-2026-45659
Microsoft SharePoint Remote Code Execution Vulnerability - CVE-2026-9291
Insecure Deserialization in Amazon Braket SDK Job Results Pr - CVE-2026-8135
Concrete CMS 9.5.0 and below is vulnerable to RCE due to ins
V. Comments for CVE-2026-43633
No comments yet