CVE-2026-44962
Awaiting Analysis Awaiting Analysis - Queue
XPath Injection in Plesk Leading to Local Privilege Escalation

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: HackerOne

Description
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-05-29
AI Q&A
2026-05-29
EPSS Evaluated
N/A
NVD
CVE-2026-44962
EUVD
EUVD-2026-33344
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
plesk aps_application_catalog *
plesk aps_catalog 18.0.76.2
plesk aps_catalog 18.0.75.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-44962 is an XPath injection vulnerability found in Plesk's APS Application Catalog search functionality. It occurs because user input is directly inserted into XPath queries without proper sanitization. This flaw allows an authenticated user with low privileges to execute arbitrary operating system commands on the server.

As a result, the attacker can escalate their privileges locally on the server, gaining higher access than originally permitted.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including local privilege escalation, where an attacker with limited access can gain administrative or root-level control over the server.

Such control allows the attacker to execute arbitrary operating system commands, potentially leading to full system compromise, data theft, service disruption, or further attacks within the network.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-44962 vulnerability immediately, users should update Plesk to the fixed versions 18.0.76.2 or 18.0.75.1 released in February 2026.

If updating is not possible right away, a temporary workaround is to disable the APS Catalog by adding a specific configuration to the /usr/local/psa/admin/conf/panel.ini file.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart