A critical deserialization flaw in HestiaCP's web terminal lets unauthenticated attackers execute code as root on affected servers by exploiting a session format mismatch between PHP and Node.js.
What Is It
CVE-2026-43633 is a deserialization vulnerability (CWE-502) in the HestiaCP web terminal component. The root cause is a session format mismatch between PHP and Node.js: PHP's session handler processes attacker-controlled HTTP headers, but the Node.js web terminal component then incorrectly deserializes those values as trusted session data. By injecting crafted data into HTTP headers, an unauthenticated remote attacker can smuggle arbitrary values into the Node.js deserialization path and trigger arbitrary command execution. Because the web terminal runs with root-level privileges, successful exploitation yields full root code execution on the host.
Why It Matters
The flaw carries a CVSS 3.1 base score of 10.0 (CRITICAL) and a CVSS 4.0 base score of 9.5. The vector is network-reachable, requires no privileges and no user interaction, and the CVSS 3.1 scope is Changed with High impact on confidentiality, integrity, and availability. HestiaCP is an open-source hosting control panel typically deployed on internet-facing servers, so any exposed instance running an affected version with the web terminal enabled can be taken over remotely by an unauthenticated attacker, with no foothold required.
What's Vulnerable
HestiaCP versions 1.9.0 through 1.9.4 are affected. Exploitation requires the web terminal feature to be enabled on the system; instances without the web terminal component active are not exposed to this specific code path. There is no current KEV listing supplied for this CVE, so active exploitation has not been confirmed by CISA at the time of this brief.
Patch Status
A fix has been committed upstream to HestiaCP (commit 854d71b3c1737b0a0d0cc55c926008ffe1f6719b, merged via PR #5244, tracked in issue #5229). Operators running HestiaCP 1.9.0 through 1.9.4 should upgrade to the patched release. As an interim mitigation, disabling the web terminal feature removes the vulnerable code path until patching is complete.