EXECUTIVE SUMMARY:
CVE-2026-44962 with a CVSS score of 10.0 is a critical privilege‑escalation flaw affecting Plesk control panels deployed on Linux servers, specifically versions released prior to the 18.0.75.1 and 18.0.76.2 updates. The vulnerability stems from an XPath injection in the APS Application Catalog search module, where user‑supplied input is concatenated directly into dynamic XPath queries without proper sanitization, allowing an attacker to manipulate the query logic. An adversary who possesses a legitimate low‑privileged account can craft malicious search strings via the web interface, bypass the normal authentication checks, and cause the backend to execute arbitrary operating‑system commands. Successful exploitation grants the attacker full administrative control over the host, enabling actions such as reading or modifying configuration files, disrupting web services, and installing further malware. The business impact includes total loss of server integrity, potential exposure of confidential corporate data, service downtime, and compliance violations. Exploitation requires only authentication as a low‑privileged user and access to the vulnerable APS search endpoint on a Plesk instance that has not been upgraded to the patched releases.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44962 with a CVSS score of 10.0 is a critical privilege‑escalation flaw affecting Plesk control panels deployed on Linux servers, specifically versions released prior to the 18.0.75.1 and 18.0.76.2 updates. The vulnerability stems from an XPath injection in the APS Application Catalog search module, where user‑supplied input is concatenated directly into dynamic XPath queries without proper sanitization, allowing an attacker to manipulate the query logic. An adversary who possesses a legitimate low‑privileged account can craft malicious search strings via the web interface, bypass the normal authentication checks, and cause the backend to execute arbitrary operating‑system commands. Successful exploitation grants the attacker full administrative control over the host, enabling actions such as reading or modifying configuration files, disrupting web services, and installing further malware. The business impact includes total loss of server integrity, potential exposure of confidential corporate data, service downtime, and compliance violations. Exploitation requires only authentication as a low‑privileged user and access to the vulnerable APS search endpoint on a Plesk instance that has not been upgraded to the patched releases.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/plesk-privilege-escalation-flaw-patch/