CVE-2026-44962
CVE-2026-44962
In short
Plesk's application search feature doesn't properly clean user input before using it in database queries, allowing a low-level user to run commands on the server and gain admin privileges.
Technical detail
XPath injection in APS Application Catalog search allows authenticated, low-privileged users to manipulate XPath queries through unsanitized input, enabling arbitrary OS command execution and local privilege escalation to system-level access.
Summary generated and translated by AI from the official description.
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
WebPros · PleskWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →