HestiaCP Pushes Emergency 1.9.7 Release Amid Nine Critical Security Fixes
HestiaCP has officially dropped version 1.9.7, and it is less of a routine update and more of an emergency patch dump. The project just published nine distinct security vulnerabilities, five of which are rated critical. The release also adds support for Debian GNU/Linux 13 (Trixie) and Ubuntu Linux 26.04 LTS.
Debian Trixie and Ubuntu 26.04 are now finally supported. On top of that, the package naming convention shifted slightly to handle ARM64 builds on x86-64 hardware. The change touches how nginx and php packages are labeled, though existing installs won't notice a thing.
Security Breakdown
The sheer volume of disclosed flaws is unusual for a single service release. We are talking about unauthenticated remote code execution, authenticated RCE, SQL injection, administrative takeover, and cross-site scripting. Some of these, like the session deserialization mismatch that actually compromised production servers, were silently patched back in May's 1.9.5 release. The team just finally decided to publish the full notifications today.
The unauthenticated RCE via the web terminal remains the most alarming entry. Attackers can pipe a crafted PHP serialization payload through the X-Forwarded-For header and grab a root shell. It works because PHP and Node.js share session files but parse them with totally incompatible methods. Then there's the IP spoofing flaw in the login handler, which blindly trusts the CF-Connecting-IP header from any client. That completely bypasses fail2ban protections.
Authenticated users aren't exactly safe either. A couple of critical flaws let low-privilege panel users escape to root through newline injection in cron jobs and double eval() loops in configuration parsing. Another critical issue stems from unescaped single quotes in web.conf path fields, which breaks out of string literals and triggers arbitrary code execution. The team also patched a SQL injection that lets users craft new MySQL superuser accounts, and a broken authorization check that allowed low-privilege accounts to overwrite the admin password via panel crontabs.
Looking at the code changes, the problems aren't random. They point to systemic architectural fatigue. The codebase leans heavily on eval() to parse user-controlled config data, and string concatenation for shell command construction. Throw in inconsistent input validation across PHP and bash layers, plus a sudoers file that gives the hestiaweb user unrestricted NOPASSWD access to nearly every v-* script, and you have a recipe for rapid privilege escalation. It's a rather expensive maintenance burden for a project that introduced the web terminal back in February 2025.
Beneath the emergency patches, there are a few quieter changes. The file manager now supports direct JSON file editing, which saves you from downloading, tweaking, and re-uploading configuration dumps. The backup validation routines got tightened, the Roundcube webmail client jumped to version 1.6.17, and the installer can finally survive missing netplan configurations.
Recommendations for Admins
Update now. At least eight of those nine vulnerabilities are actively exploitable in production environments. If you are still running a version older than 1.9.4, the Cloudflare IP spoofing flaw is likely sitting in your logs. You should audit your server for rogue admin accounts, suspicious cron entries, and dropped payloads in /tmp/. The web terminal exploits are fully reliable and already circulating.
Disable the web terminal if you don't absolutely need it. Start monitoring outbound traffic for weird beaconing patterns, since multiple RCE paths grant immediate root access. You should look closely at your sudoers configuration. Narrowing that NOPASSWD blanket pass will save you plenty of headaches down the road.
Head here to the official HestiaCP GitHub repository for the full patch notes and detailed advisory links.
