CRITICAL🇵🇱 Wersja polska

CVE-2026-44962

CVSS 9.9v3.1pub. 2026-05-29

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.

🤖 AI Analysis
How it works

User-supplied input is inserted directly into XPath queries without proper sanitization (CWE-643). An attacker can craft a malicious query in the APS catalog search field, which will be interpreted by the XPath engine in an unintended manner. As a result, it is possible to execute arbitrary operating system commands on the server, leading to local privilege escalation.

Impact

An authenticated user with low privileges can execute arbitrary system commands on the server and obtain a higher level of privileges (privilege escalation), which in practice can result in complete takeover of system control.

Mitigation & patch

Patches available from the vendor should be applied according to the references: https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog

Who is affected

Plesk — versions indicated in vendor references (APS application catalog search function)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References