CVE-2026-43633

HestiaCP · HestiaCP

A deserialization vulnerability in the HestiaCP web terminal allows unauthenticated remote attackers to execute arbitrary commands with root-level privileges.

Executive summary

HestiaCP versions 1.9.0 through 1.9.4 are susceptible to unauthenticated remote code execution via a deserialization flaw in the web terminal component, resulting in full system compromise.

Vulnerability

This is a deserialization vulnerability (CWE-502) occurring when the web terminal incorrectly processes HTTP headers as trusted session values. An unauthenticated remote attacker can inject malicious payloads into these headers, which are then processed by the Node.js component, leading to arbitrary command execution with root privileges.

Business impact

With a CVSS score of 10.0, this vulnerability represents the highest level of risk. An attacker can achieve complete control over the host server, leading to total data compromise, the installation of persistent backdoors, and the potential for full environment takeover. Given the ability to execute code as root, the business impact includes severe operational disruption and potential exfiltration of all hosted data.

Remediation

Immediate Action: Upgrade HestiaCP to the latest available version immediately to patch the deserialization flaw in the web terminal component.

Proactive Monitoring: Monitor server logs for anomalous process execution, unexpected outbound network connections from the web server, or unauthorized modifications to system files.

Compensating Controls: Disable the "web terminal" feature within the HestiaCP interface as a temporary measure if an immediate upgrade is not feasible, and utilize a WAF to block malformed HTTP headers.

Exploitation status

Public Exploit Available: Yes (Proof-of-Concept)

Analyst recommendation

This vulnerability is critical and requires immediate attention. Organizations running affected versions of HestiaCP must prioritize patching or disabling the vulnerable component to prevent trivial remote code execution and full system takeover.