CVE-2026-44962 | THREATINT

Description

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.

PUBLISHED Reserved 2026-05-08 | Published 2026-05-29 | Updated 2026-05-29 | Assigner hackerone

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Product status

Default status

unaffected

18.0.75.1 (semver) before 18.0.75.1

affected

18.0.76.2 (semver) before 18.0.76.2

affected

References

support.plesk.com/...y-CVE-2026-44962-in-Plesk-s-APS-Catalog

cve.org (CVE-2026-44962)

nvd.nist.gov (CVE-2026-44962)

Download JSON