CVE-2026-44962

Name of the Vulnerable Software and Affected Versions Plesk versions prior to 18.0.75.1 Plesk versions prior to 18.0.76.2

Description An XPath injection issue exists in the APS Application Catalog search functionality. This occurs because user-supplied input is interpolated into XPath queries without proper sanitization. An authenticated, low-privileged user can exploit this to execute arbitrary operating system commands on the server, leading to local privilege escalation. Over 1.8 million devices were identified as potentially affected via FOFA queries in the past year.

Recommendations Update to version 18.0.75.1. Update to version 18.0.76.2.