Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
AnalysisAI
Local privilege escalation in Plesk's APS Application Catalog allows an authenticated low-privileged user to execute arbitrary operating system commands by injecting malicious XPath syntax into the catalog search functionality. The flaw carries a critical CVSS 3.1 score of 9.9 due to scope change and full CIA impact, and no public exploit identified at time of analysis. The advisory was disclosed via HackerOne and acknowledged in a Plesk support article, but EPSS and KEV signals are not provided in the available intelligence.
Technical ContextAI
Plesk is a widely deployed web hosting control panel that integrates the APS (Application Packaging Standard) Catalog to let administrators discover and install third-party web applications. The vulnerability is classified as CWE-643 (Improper Neutralization of Data within XPath Expressions), meaning user-supplied search input is concatenated directly into XPath queries used to traverse the APS catalog's XML data structures. Because the resulting XPath expression is evaluated server-side and ultimately feeds into command construction, an attacker can break out of the intended query context and influence operating system command execution on the host running Plesk.
RemediationAI
Apply the fix described in Plesk's advisory at https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog; an exact fixed version was not included in the provided data, so treat the patch status as 'Patch available per vendor advisory' and confirm the precise micro-update through the Plesk Updates utility or vendor support. Until patched, compensating controls include restricting access to the APS Application Catalog and its search endpoint via Plesk role permissions so that only trusted administrators can reach it (trade-off: tenants lose self-service app installation), placing the Plesk panel behind an IP allowlist or VPN to shrink the population of authenticated attackers, and auditing existing low-privileged accounts and resetting credentials for any suspected of compromise. Disabling or uninstalling the APS catalog component, if operationally feasible, removes the vulnerable code path entirely at the cost of losing one-click application provisioning.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33344
GHSA-2785-qq7p-x3cj