CVE-2026-44962
Awaiting Analysis Awaiting Analysis - Queue
XPath Injection in Plesk Leading to Local Privilege Escalation

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: HackerOne

Description
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44962
EUVD
EUVD-2026-33344
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
plesk aps_application_catalog *
plesk aps_catalog 18.0.76.2
plesk aps_catalog 18.0.75.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44962 is an XPath injection vulnerability found in Plesk's APS Application Catalog search functionality. It occurs because user input is directly inserted into XPath queries without proper sanitization. This flaw allows an authenticated user with low privileges to execute arbitrary operating system commands on the server.

As a result, the attacker can escalate their privileges locally on the server, gaining higher access than originally permitted.

Impact Analysis

This vulnerability can have severe impacts including local privilege escalation, where an attacker with limited access can gain administrative or root-level control over the server.

Such control allows the attacker to execute arbitrary operating system commands, potentially leading to full system compromise, data theft, service disruption, or further attacks within the network.

Mitigation Strategies

To mitigate the CVE-2026-44962 vulnerability immediately, users should update Plesk to the fixed versions 18.0.76.2 or 18.0.75.1 released in February 2026.

If updating is not possible right away, a temporary workaround is to disable the APS Catalog by adding a specific configuration to the /usr/local/psa/admin/conf/panel.ini file.

Compliance Impact

The provided information does not specify how the CVE-2026-44962 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart