Skip to main content

Plesk CVE-2026-48614

| EUVDEUVD-2026-41892 CRITICAL
Code Injection (CWE-94)
2026-07-06 hackerone GHSA-29pr-6qrg-q2x4
9.9
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

XML API is network-reachable (AV:N/AC:L) but needs a valid low-privileged account (PR:L); root file write escapes the app boundary (S:C) giving full C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 19:02 EUVD
Analysis Generated
Jul 06, 2026 - 18:25 vuln.today

DescriptionCVE.org

An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server.

AnalysisAI

Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged Plesk account
Delivery
Reach XML API endpoint
Exploit
Inject unauthorized configuration directives
Execution
Arbitrary file write as root
Impact
Escalate to full root control of server

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Plesk account (CVSS PR:L) with the ability to reach the Plesk XML API - for example a reseller or customer login on a multi-tenant hosting server - and the ability to send crafted API requests injecting configuration directives. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue, not an inflated CVSS number. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant on a shared Plesk server (or an attacker who has phished or purchased a low-privileged reseller/customer login) authenticates to the panel and issues crafted XML API requests that smuggle unauthorized configuration directives into a root-owned service config. The injected directives are written to disk as root, letting the attacker plant or overwrite a privileged file (e.g. …
Remediation Apply the fix described in the Plesk vendor advisory (https://support.plesk.com/hc/en-us/articles/41171817973143-Vulnerability-in-Plesk-XML-API) - patch available per vendor advisory, though an exact fixed version number is not confirmed in the available data, so verify the target build against that article before and after updating and enable Plesk automatic updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Plesk instances; restrict panel access to administrative networks only via IP whitelisting; disable the XML API if not operationally required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy