A severe security vulnerability identified in the Plesk platform, labeled as CVE-2026-44962, has emerged as a significant threat. Security researchers have confirmed that this flaw permits authenticated users to execute arbitrary commands on servers, posing a serious risk to affected systems.
Understanding the Plesk Vulnerability
This vulnerability, which is highlighted in both the National Vulnerability Database and the GitHub Advisory Database, is related to the APS Application Catalog component. It has been assigned a critical CVSS score due to its potential to compromise system confidentiality, integrity, and availability.
The core issue arises from an XPath injection flaw within the APS Catalog’s search functionality. This allows improperly handled user input to be directly integrated into XPath queries without sufficient sanitization, presenting a critical security gap.
Impact and Exploitation
Classified under CWE-643, this vulnerability enables attackers to manipulate XPath query logic, thus gaining control over XML-based data retrieval. Even users with minimal privileges can exploit this flaw to escalate their access and execute commands on the server.
The simplicity of the attack, requiring just network access and minimal user privileges without additional user interaction, makes it particularly dangerous. The flaw also has a changed scope, meaning it can affect resources beyond its initial security context.
Mitigation and Response
Plesk has acknowledged this vulnerability and released patches in versions 18.0.76.2 and 18.0.75.1, available since late February 2026. Users are strongly encouraged to update their systems promptly to mitigate potential exploitation risks.
For environments where immediate updating isn’t possible, Plesk suggests temporarily disabling the APS Catalog functionality by altering the configuration file at /usr/local/psa/admin/conf/panel.ini. However, this is a stopgap measure and doesn’t replace the need for the official security update.
Security researcher Georgii Shutiaev, who discovered the flaw, worked closely with Plesk to ensure a coordinated response. While no active exploitation has been reported at publication, the flaw’s ease of use and impact level make it an attractive target for threat actors.
Organizations utilizing Plesk, especially in shared hosting or multi-tenant setups, should prioritize addressing this vulnerability. Immediate patch deployment, reviewing access controls, and monitoring for unusual command activity are essential steps to safeguard against potential threats.
This incident underscores the continuous risks posed by improper input handling in web applications and highlights the critical need for secure coding and timely updates to reduce vulnerabilities.
