Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical Plesk Flaw Allows Command Execution on Servers

Critical Plesk Flaw Allows Command Execution on Servers

Posted on June 1, 2026 By CWS

A severe security vulnerability identified in the Plesk platform, labeled as CVE-2026-44962, has emerged as a significant threat. Security researchers have confirmed that this flaw permits authenticated users to execute arbitrary commands on servers, posing a serious risk to affected systems.

Understanding the Plesk Vulnerability

This vulnerability, which is highlighted in both the National Vulnerability Database and the GitHub Advisory Database, is related to the APS Application Catalog component. It has been assigned a critical CVSS score due to its potential to compromise system confidentiality, integrity, and availability.

The core issue arises from an XPath injection flaw within the APS Catalog’s search functionality. This allows improperly handled user input to be directly integrated into XPath queries without sufficient sanitization, presenting a critical security gap.

Impact and Exploitation

Classified under CWE-643, this vulnerability enables attackers to manipulate XPath query logic, thus gaining control over XML-based data retrieval. Even users with minimal privileges can exploit this flaw to escalate their access and execute commands on the server.

The simplicity of the attack, requiring just network access and minimal user privileges without additional user interaction, makes it particularly dangerous. The flaw also has a changed scope, meaning it can affect resources beyond its initial security context.

Mitigation and Response

Plesk has acknowledged this vulnerability and released patches in versions 18.0.76.2 and 18.0.75.1, available since late February 2026. Users are strongly encouraged to update their systems promptly to mitigate potential exploitation risks.

For environments where immediate updating isn’t possible, Plesk suggests temporarily disabling the APS Catalog functionality by altering the configuration file at /usr/local/psa/admin/conf/panel.ini. However, this is a stopgap measure and doesn’t replace the need for the official security update.

Security researcher Georgii Shutiaev, who discovered the flaw, worked closely with Plesk to ensure a coordinated response. While no active exploitation has been reported at publication, the flaw’s ease of use and impact level make it an attractive target for threat actors.

Organizations utilizing Plesk, especially in shared hosting or multi-tenant setups, should prioritize addressing this vulnerability. Immediate patch deployment, reviewing access controls, and monitoring for unusual command activity are essential steps to safeguard against potential threats.

This incident underscores the continuous risks posed by improper input handling in web applications and highlights the critical need for secure coding and timely updates to reduce vulnerabilities.

Cyber Security News Tags:APS Catalog, command execution, CVE-2026-44962, CVSS score, Georgii Shutiaev, input validation, Patch, Plesk, Security, server security, Vulnerability, web application security, XML data processing, XPath injection

Post navigation

Previous Post: New Flaws and AI Threats Shape Cybersecurity Landscape
Next Post: Cyber Espionage Campaign Targets Czech Republic and Taiwan

Related Posts

Developers Frustrated by ‘No Server Available’ Message Developers Frustrated by ‘No Server Available’ Message Cyber Security News
New Ghost Calls Attack Abuses Web Conferencing for Covert Command & Control New Ghost Calls Attack Abuses Web Conferencing for Covert Command & Control Cyber Security News
DigiCert Breach Exposes EV Code Signing Vulnerabilities DigiCert Breach Exposes EV Code Signing Vulnerabilities Cyber Security News
New Sicarii RaaS Operation Attacks Exposed RDP Services and Attempts to Exploit Fortinet Devices New Sicarii RaaS Operation Attacks Exposed RDP Services and Attempts to Exploit Fortinet Devices Cyber Security News
CERT-In Urges Rapid Patching of Critical Vulnerabilities CERT-In Urges Rapid Patching of Critical Vulnerabilities Cyber Security News
Critical HTTP/2 Vulnerability in Apache Threatens Servers Critical HTTP/2 Vulnerability in Apache Threatens Servers Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Hackers Sentenced for Disrupting London Transport Systems
  • JetBrains Fixes Critical Security Flaws in Key Products
  • Dutch Police Break Up €100 Million Fraud Network
  • AI Security Testing Evolves with New Threats
  • Daxin Malware Reappears in Taiwan with New Stupig Backdoor

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Hackers Sentenced for Disrupting London Transport Systems
  • JetBrains Fixes Critical Security Flaws in Key Products
  • Dutch Police Break Up €100 Million Fraud Network
  • AI Security Testing Evolves with New Threats
  • Daxin Malware Reappears in Taiwan with New Stupig Backdoor

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark