Description
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
Published: 2026-05-29
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Plesk’s APS Application Catalog search functionality is vulnerable to XPath injection. User‑supplied input is inserted directly into an XPath query without proper sanitization, allowing an attacker to inject arbitrary XPath expressions. This flaw leads to execution of arbitrary operating system commands with the privileges of the process hosting Plesk, resulting in local privilege escalation for authenticated users with low privileges.

Affected Systems

The vulnerability affects all installations of WebPros Plesk that provide the APS Application Catalog search feature. No specific version details are supplied, so any on‑premises or hosted Plesk environment is potentially impacted unless a patch has already been applied.

Risk and Exploitability

The CVSS score of 10 indicates that this flaw is maximum severity. The EPSS score is not available, and the vulnerability is not yet listed in CISA KEV, but the lack of an exploit probability rating does not diminish the inherent risk. Based on the description, the likely attack vector is an authenticated low‑privileged user who can access the search functionality; such a user can exploit the injection to execute arbitrary OS commands, achieving full control of the server.

Generated by OpenCVE AI on May 29, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Plesk patch available in Plesk support portal "Vulnerability CVE‑2026‑44962 in Plesk APS Catalog" to remove the XPath injection flaw.
  • Restrict APS Application Catalog search to accounts with administrator privileges to prevent unauthenticated or low‑privileged use of the vulnerable feature.
  • If a patch has not yet been released, disable or uninstall the APS Application Catalog module until the vendor issues a fix.

Generated by OpenCVE AI on May 29, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title XPath Injection in Plesk APS Catalog Enables Local Privilege Escalation

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
Weaknesses CWE-643
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-29T16:43:18.000Z

Reserved: 2026-05-08T15:00:02.447Z

Link: CVE-2026-44962

cve-icon Vulnrichment

Updated: 2026-05-29T16:43:14.744Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T16:16:27.567

Modified: 2026-05-29T16:33:43.467

Link: CVE-2026-44962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:30:04Z

Weaknesses