CVE-2026-44962
WebPros · Plesk
Plesk contains an XPath injection vulnerability in the APS Application Catalog, allowing authenticated users to execute arbitrary OS commands as a low-privileged user.
Executive summary
An authenticated XPath injection vulnerability in the Plesk APS Application Catalog enables command execution and local privilege escalation.
Vulnerability
The application fails to properly sanitize user-supplied input before passing it into XPath queries (CWE-643). An authenticated, low-privileged user can exploit this to perform XPath injection, leading to arbitrary command execution on the underlying server.
Business impact
With a CVSS score of 9.9, this vulnerability poses a critical risk to hosting environments. Successful exploitation allows an authenticated attacker to escalate privileges, potentially leading to a full server compromise, unauthorized access to hosted data, and disruption of all services managed by the Plesk instance.
Remediation
Immediate Action: Upgrade to the latest patched version of Plesk as specified in the vendor security advisory.
Proactive Monitoring: Audit server logs for suspicious command execution patterns or abnormal XPath query strings originating from the APS Application Catalog search functionality.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block requests containing malicious XPath injection payloads directed at the catalog search.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The ability for a low-privileged user to achieve command execution makes this a high-priority update. Organizations should apply the vendor-provided patches immediately to prevent privilege escalation and maintain the integrity of the hosting server.