Search
Search Results (15 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-48614 | 1 Webpros | 1 Plesk | 2026-07-06 | 9.9 Critical |
| An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server. | ||||
| CVE-2026-29205 | 2 Webpros, Wordpress | 3 Cpanel, Wp Squared, Wordpress | 2026-06-18 | 8.6 High |
| Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints. | ||||
| CVE-2026-47365 | 2 Webpros, Wordpress | 2 Wordpress-toolkit, Wordpress | 2026-06-12 | 9.9 Critical |
| Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account. | ||||
| CVE-2026-44962 | 1 Webpros | 1 Plesk | 2026-05-30 | 10 Critical |
| Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation. | ||||
| CVE-2026-32999 | 1 Webpros | 1 Comet Backup | 2026-05-28 | 9.1 Critical |
| Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices. | ||||
| CVE-2026-29203 | 1 Webpros | 3 Cpanel, Cpanel (centos 6, Cloudlinux 6), Wp Squared | 2026-05-15 | 8.8 High |
| A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory. | ||||
| CVE-2026-32991 | 2 Webpros, Wordpress | 4 Cpanel, Cpanel (cloudlinux 6, Centos 6), Wp Squared and 1 more | 2026-05-14 | 7.1 High |
| Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account. | ||||
| CVE-2026-29206 | 1 Webpros | 3 Cpanel, Cpanel (cloudlinux 6, Centos 6), Wp Squared | 2026-05-14 | 8.1 High |
| Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled. | ||||
| CVE-2026-32992 | 1 Webpros | 2 Cpanel, Wp Squared | 2026-05-14 | 8.2 High |
| SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials. | ||||
| CVE-2026-32993 | 1 Webpros | 2 Cpanel, Wp Squared | 2026-05-14 | 8.3 High |
| Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response. | ||||
| CVE-2026-29202 | 1 Webpros | 3 Cpanel, Cpanel (centos 6, Cloudlinux 6), Wp Sqaured | 2026-05-14 | 8.8 High |
| Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user. | ||||
| CVE-2026-29201 | 1 Webpros | 3 Cpanel, Cpanel (centos 6, Cloudlinux 6), Wp Squared | 2026-05-13 | 8.6 High |
| Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. | ||||
| CVE-2026-29204 | 1 Webpros | 1 Whmcs | 2026-05-13 | 9.1 Critical |
| Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account. | ||||
| CVE-2026-29200 | 1 Webpros | 1 Comet Backup | 2026-05-04 | N/A |
| A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call. | ||||
| CVE-2025-65518 | 2 Plesk, Webpros | 2 Obsidian, Plesk Obsidian | 2026-01-30 | 7.5 High |
| Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance. | ||||
Page 1 of 1.