CVE-2026-44962: Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
HarborGuard Analysis
HarborGuard analysisSynopsis
Plesk has an XPath injection in the APS Application Catalog search, where unsanitized user input is interpolated directly into XPath queries. An authenticated low-privileged user can reach the affected endpoint over the network and use the injection to run arbitrary operating system commands on the server, leading to full host compromise. Patched-image rebuilds at 18.0.75.1 and 18.0.76.2 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against Plesk images in customer registries and build pipelines. Coverage extends to custom-built images that bundle Plesk, not just vendor base images.
AvailableTriage routing is available using the published CVSS 3.1 score of 10.0 (Critical), weighted by each customer's compliance policy so that exposure on internet-facing or multi-tenant hosts escalates ahead of internal-only deployments. Findings are routed to the inbox configured for the owning team inside each customer organization.
AvailableA patched-image rebuild at 18.0.75.1 or 18.0.76.2 is available on HarborGuard for environments running an affected Plesk version. For customers with auto-remediation enabled, the rebuild is produced, the regression suite is run against it, and a pull request is opened against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Plesk web interface over the network to hit the APS Application Catalog search endpoint.
- AuthenticationRequired
A valid low-privileged Plesk account is sufficient; no administrative role is needed.
- Victim interactionNot required
Exploitation is driven entirely by the attacker's request and needs no action from another user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or environmental tuning.
Blast Radius
- Executes arbitrary operating system commands on the Plesk host under the service account, enabling local privilege escalation.
- Reads any file or secret accessible to the Plesk process, including hosted site data, database credentials, and API tokens.
- Modifies or destroys hosted website content, configuration, and persisted database rows on the server.
- Disrupts or fully takes the Plesk control panel and the sites it manages offline.
How HarborGuard Handles This
Available on HarborGuard: a rebuilt image at Plesk 18.0.75.1 or 18.0.76.2, ready to replace affected versions in customer registries. For environments with auto-remediation enabled, the rebuild is generated, the regression suite is executed, and a PR is opened against workloads still pinned to a vulnerable version; median time from CVE publication to merged patch PR on Critical issues is around 90 minutes for these environments. Where compliance policy requires human review before deployment, the patched image and PR are staged and held pending approval, and compensating guidance (restricting Plesk panel exposure to trusted networks and disabling unused APS catalog access) is surfaced alongside the finding.
Metrics
- CVSS v3.1
- 10.0
- Severity
- CRITICAL
- Fixed in
- 18.0.75.1
- Affected Products
- 1
Fix available
- WebPros / Plesk< 18.0.75.1 (from 18.0.75.1) · < 18.0.76.2 (from 18.0.76.2)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H