Search Results (15 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-48614 1 Webpros 1 Plesk 2026-07-06 9.9 Critical
An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server.
CVE-2026-29205 2 Webpros, Wordpress 3 Cpanel, Wp Squared, Wordpress 2026-06-18 8.6 High
Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
CVE-2026-47365 2 Webpros, Wordpress 2 Wordpress-toolkit, Wordpress 2026-06-12 9.9 Critical
Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
CVE-2026-44962 1 Webpros 1 Plesk 2026-05-30 10 Critical
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
CVE-2026-32999 1 Webpros 1 Comet Backup 2026-05-28 9.1 Critical
Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.
CVE-2026-29203 1 Webpros 3 Cpanel, Cpanel (centos 6, Cloudlinux 6), Wp Squared 2026-05-15 8.8 High
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
CVE-2026-32991 2 Webpros, Wordpress 4 Cpanel, Cpanel (cloudlinux 6, Centos 6), Wp Squared and 1 more 2026-05-14 7.1 High
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
CVE-2026-29206 1 Webpros 3 Cpanel, Cpanel (cloudlinux 6, Centos 6), Wp Squared 2026-05-14 8.1 High
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
CVE-2026-32992 1 Webpros 2 Cpanel, Wp Squared 2026-05-14 8.2 High
SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
CVE-2026-32993 1 Webpros 2 Cpanel, Wp Squared 2026-05-14 8.3 High
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
CVE-2026-29202 1 Webpros 3 Cpanel, Cpanel (centos 6, Cloudlinux 6), Wp Sqaured 2026-05-14 8.8 High
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
CVE-2026-29201 1 Webpros 3 Cpanel, Cpanel (centos 6, Cloudlinux 6), Wp Squared 2026-05-13 8.6 High
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
CVE-2026-29204 1 Webpros 1 Whmcs 2026-05-13 9.1 Critical
Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.
CVE-2026-29200 1 Webpros 1 Comet Backup 2026-05-04 N/A
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
CVE-2025-65518 2 Plesk, Webpros 2 Obsidian, Plesk Obsidian 2026-01-30 7.5 High
Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance.