A newly disclosed critical vulnerability in Plesk is raising serious security concerns after researchers confirmed that low-privileged users can execute arbitrary commands on affected servers.
Tracked as CVE-2026-44962, the vulnerability affects Plesk for Linux and is linked to improper input handling in the APS Application Catalog search functionality.
The issue was published in the GitHub Advisory Database and remains under review, but its potential for local privilege escalation makes it highly dangerous in real-world environments.
This insecure design allows authenticated users with minimal privileges to manipulate backend queries and inject malicious payloads.
By exploiting this vulnerability, attackers can break out of intended query logic and execute arbitrary operating system commands on the underlying server.
This effectively turns a limited-access user into one capable of performing privileged actions, resulting in local privilege escalation.
In shared hosting environments or multi-tenant systems, this significantly increases the risk of lateral movement and full server compromise.
The root cause of CVE-2026-44962 lies in an XPath injection vulnerability within the APS catalog search feature. According to the advisory, user-controlled input is directly embedded into XPath queries without sufficient sanitization or validation.
In this case, the vulnerability directly impacts administrative functionality, amplifying its impact beyond typical user-level attacks.
Security researchers emphasize that XPath injection vulnerabilities are often overlooked compared to SQL injection, but they can be equally severe when tied to backend processing mechanisms.
Critical Plesk Vulnerability
At the time of disclosure, specific affected versions were not explicitly listed in the GitHub advisory. However, Plesk has confirmed that patched versions were released on February 24 and 25, 2026. The fixed versions are Plesk 18.0.76.2 and 18.0.75.1, and users are strongly urged to upgrade immediately.
Below is a quick overview of the vulnerability:
| Field | Details |
|---|---|
| CVE ID | CVE-2026-44962 |
| Product | Plesk for Linux |
| Severity | Critical |
| Vulnerability Type | XPath Injection leading to Command Execution |
| Impact | Local Privilege Escalation |
| Patched Versions | 18.0.76.2, 18.0.75.1 |
For organizations unable to apply updates immediately, Plesk has provided a temporary mitigation.
Administrators can turn off the vulnerable APS functionality by modifying the panel configuration file located at /usr/local/psa/admin/conf/panel.ini and adding a configuration entry to turn off APS support.
While this reduces exposure, it is not a complete fix and should only be used as a short-term workaround.
The vulnerability was responsibly disclosed by security researcher Georgii Shutiaev, who worked with the Plesk team to coordinate the release of patches. The rapid response from the vendor highlights the severity of the issue and the importance of timely updates.
Given the widespread use of Plesk in web hosting and cloud environments, this vulnerability poses a significant threat to servers that remain unpatched.
Attackers often scan for such weaknesses shortly after disclosure, making delayed remediation a critical risk factor.
Organizations should prioritize patch deployment, monitor for suspicious activity, and review access controls to minimize potential exploitation.
As threat actors continue to target web hosting control panels, vulnerabilities like CVE-2026-44962 reinforce the need for strict input validation, secure coding practices, and proactive vulnerability management across server infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
