CVE-2026-44962

9.9 CRITICAL

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpo...

Published: 2026-05-29 · Last updated: 2026-05-29

Severity and scoring

CVSS: 9.9 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-643

Description

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44962
[Other]https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog