CVE-2025-65518
Modified
Modified - Updated After Analysis
Denial of Service in Plesk Obsidian get_password.php Endpoint
Vulnerability report for CVE-2025-65518, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-01-08
Last updated on: 2026-07-05
Assigner: MITRE
Description
Description
Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plesk | obsidian | From 8.0.1 (inc) to 18.0.73 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-606 | The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |