CVE-2026-44962

WebPros · Plesk

Plesk contains an XPath injection vulnerability in the APS Application Catalog, allowing authenticated users to execute arbitrary OS commands as a low-privileged user.

Executive summary

An authenticated XPath injection vulnerability in the Plesk APS Application Catalog enables command execution and local privilege escalation.

Vulnerability

The application fails to properly sanitize user-supplied input before passing it into XPath queries (CWE-643). An authenticated, low-privileged user can exploit this to perform XPath injection, leading to arbitrary command execution on the underlying server.

Business impact

With a CVSS score of 9.9, this vulnerability poses a critical risk to hosting environments. Successful exploitation allows an authenticated attacker to escalate privileges, potentially leading to a full server compromise, unauthorized access to hosted data, and disruption of all services managed by the Plesk instance.

Remediation

Immediate Action: Upgrade to the latest patched version of Plesk as specified in the vendor security advisory.

Proactive Monitoring: Audit server logs for suspicious command execution patterns or abnormal XPath query strings originating from the APS Application Catalog search functionality.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block requests containing malicious XPath injection payloads directed at the catalog search.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The ability for a low-privileged user to achieve command execution makes this a high-priority update. Organizations should apply the vendor-provided patches immediately to prevent privilege escalation and maintain the integrity of the hosting server.