Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
CVE-2026-44962: Plesk APS Application Catalog Search Allows Unauthorized OS Commands
CVE-2026-44962
Summary
Plesk's search function in the Application Catalog can be tricked into executing system commands. This can happen if a low-privileged user knows what they're doing and has permission to use the search feature. To stay secure, update Plesk to the latest version as soon as possible.
Original title
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This a...
Original description
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
nvd CVSS3.1
9.9
Vulnerability type
CWE-643
Published: 29 May 2026 · Updated: 31 May 2026 · First seen: 29 May 2026