Skip to main content

Plesk EUVDEUVD-2026-33344

| CVE-2026-44962 CRITICAL
Improper Neutralization of Data within XPath Expressions ('XPath Injection') (CWE-643)
2026-05-29 support@hackerone.com GHSA-2785-qq7p-x3cj
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 29, 2026 - 17:02 EUVD
Analysis Generated
May 29, 2026 - 16:44 vuln.today

DescriptionCVE.org

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.

AnalysisAI

Local privilege escalation in Plesk's APS Application Catalog allows an authenticated low-privileged user to execute arbitrary operating system commands by injecting malicious XPath syntax into the catalog search functionality. The flaw carries a critical CVSS 3.1 score of 9.9 due to scope change and full CIA impact, and no public exploit identified at time of analysis. The advisory was disclosed via HackerOne and acknowledged in a Plesk support article, but EPSS and KEV signals are not provided in the available intelligence.

Technical ContextAI

Plesk is a widely deployed web hosting control panel that integrates the APS (Application Packaging Standard) Catalog to let administrators discover and install third-party web applications. The vulnerability is classified as CWE-643 (Improper Neutralization of Data within XPath Expressions), meaning user-supplied search input is concatenated directly into XPath queries used to traverse the APS catalog's XML data structures. Because the resulting XPath expression is evaluated server-side and ultimately feeds into command construction, an attacker can break out of the intended query context and influence operating system command execution on the host running Plesk.

RemediationAI

Apply the fix described in Plesk's advisory at https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog; an exact fixed version was not included in the provided data, so treat the patch status as 'Patch available per vendor advisory' and confirm the precise micro-update through the Plesk Updates utility or vendor support. Until patched, compensating controls include restricting access to the APS Application Catalog and its search endpoint via Plesk role permissions so that only trusted administrators can reach it (trade-off: tenants lose self-service app installation), placing the Plesk panel behind an IP allowlist or VPN to shrink the population of authenticated attackers, and auditing existing low-privileged accounts and resetting credentials for any suspected of compromise. Disabling or uninstalling the APS catalog component, if operationally feasible, removes the vulnerable code path entirely at the cost of losing one-click application provisioning.

Share

EUVD-2026-33344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy