CVE-2026-44962
published 2026-05-29CVE-2026-44962: Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath…
PriorityP263critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.69%
48.0th percentile
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webpros | plesk | >= 18.0.75.1 < 18.0.75.1 | 18.0.75.1 |
| webpros | plesk | >= 18.0.76.2 < 18.0.76.2 | 18.0.76.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2785-qq7p-x3cj: Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XP
ghsa_unreviewed·2026-05-29
CVE-2026-44962 [CRITICAL] CWE-643 GHSA-2785-qq7p-x3cj: Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XP
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
VulDB
WebPros Plesk prior 18.0.75.1/18.0.76.2 APS Application Catalog Search xpath injection
vuldb·2026-05-29·CVSS 9.9
CVE-2026-44962 [CRITICAL] WebPros Plesk prior 18.0.75.1/18.0.76.2 APS Application Catalog Search xpath injection
A vulnerability was found in WebPros Plesk. It has been rated as critical. This issue affects some unknown processing of the component APS Application Catalog Search. The manipulation leads to improper neutralization of data within xpath expressions.
This vulnerability is listed as CVE-2026-44962. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
2026-05-29
Published