CVE-2025-65518
Unknown Unknown - Not Provided
Denial of Service in Plesk Obsidian get_password.php Endpoint

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: MITRE

Description
Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65518
EUVD
EUVD-2026-1436
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
plesk obsidian From 8.0.1 (inc) to 18.0.73 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Plesk Obsidian versions 8.0.1 through 18.0.73 and is a Denial of Service (DoS) condition. It occurs in the get_password.php endpoint, where an attacker can send a specially crafted request containing a malicious payload. This causes the web interface to continuously reload, making the service unavailable to legitimate users. The attack can be performed remotely without any authentication.

Impact Analysis

The vulnerability can cause a persistent denial of service on the affected Plesk Obsidian instance, making the web interface unavailable to legitimate users. This impacts the availability of the service, potentially disrupting server management and hosted websites.

Detection Guidance

You can detect this vulnerability by monitoring for unusual or repeated requests to the get_password.php endpoint on your Plesk Obsidian web interface. Specifically, look for crafted requests that cause continuous reloads or high availability impact. Network monitoring tools or web server logs can be used to identify such suspicious activity. However, no specific commands or detection scripts are provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the get_password.php endpoint, applying any available patches or updates from Plesk for versions 8.0.1 through 18.0.73, and monitoring the service for abnormal reload behavior. Since the vulnerability can be exploited remotely without authentication, consider implementing network-level protections such as firewall rules to limit access to the affected endpoint until a patch is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart