CVE-2026-44962

CRITICAL10.0

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization

Published May 29, 2026

Modified 1 weeks ago

Details

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.

References

WEB

https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-44962

CVSS Analysis

CVSS v3.1

10.0

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

10/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weakness Type (CWE)

Other

CWE-643

Ecosystems

Timeline

PublishedMay 29, 2026

ModifiedMay 29, 2026