Skip to main content

Plesk

4 CVEs product

Monthly

CVE-2026-56843 CRITICAL PATCH Act Now

Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. No public exploit has been identified at time of analysis, but the flaw was reported via HackerOne and carries a CVSS 9.9 rating.

Authentication Bypass Plesk
NVD VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-48614 CRITICAL PATCH Act Now

Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Privilege Escalation RCE Plesk
NVD VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2023-4931 HIGH This Week

Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Plesk
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2023-0829 CRITICAL Act Now

Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Plesk
NVD
CVSS 3.1
9.0
EPSS
0.6%
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. No public exploit has been identified at time of analysis, but the flaw was reported via HackerOne and carries a CVSS 9.9 rating.

Authentication Bypass Plesk
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Privilege Escalation RCE +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Uncontrolled search path element vulnerability in Plesk Installer affects version 3.27.0.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Plesk
NVD
EPSS 1% CVSS 9.0
CRITICAL Act Now

Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Plesk
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy