Critical Plesk Vulnerability Allows Arbitrary Server Command

A critical vulnerability, CVE-2026-44962, has been newly disclosed in Plesk, prompting serious security concerns. Researchers confirmed it allows authenticated users to execute arbitrary operating system commands on affected servers.

The issue, published in the National Vulnerability Database and GitHub Advisory Database, affects the APS Application Catalog component and has been assigned a critical CVSS score due to its high impact on confidentiality, integrity, and availability.

The vulnerability stems from an XPath injection flaw in the APS Catalog search functionality.

Plesk Command Execution Vulnerability

Specifically, user-supplied input is improperly handled and directly incorporated into XPath queries without adequate sanitization.

This weakness, categorized under CWE-643, allows attackers to manipulate query logic and control how data is retrieved from XML-based storage.

In practice, a low-privileged, authenticated user can exploit this flaw to escalate privileges and execute arbitrary commands on the underlying server.

Because the attack requires only network access and minimal privileges and does not depend on user interaction, it significantly lowers the barrier for exploitation in real-world environments.

The vulnerability also operates with a changed scope, meaning it can impact resources beyond its original security boundary.

Security researchers note that XPath injection vulnerabilities are particularly dangerous in web applications that rely on XML data processing, as they can bypass traditional input validation controls.

In this case, the improper neutralization of input enables attackers to craft malicious queries that effectively alter backend execution behavior.

Plesk has acknowledged the issue and released patched versions to address the flaw. The vulnerability has been fixed in Plesk versions 18.0.76.2 and 18.0.75.1, which were made available in late February 2026.

Users are strongly advised to update their installations immediately to mitigate the risk of exploitation. For environments where immediate patching is not feasible, Plesk has provided a temporary workaround.

Administrators can turn off the APS Catalog functionality by modifying the panel configuration file at /usr/local/psa/admin/conf/panel.ini.

While this reduces exposure, it is not a substitute for applying the official security update. The vulnerability was responsibly disclosed by security researcher Georgii Shutiaev, who collaborated with Plesk to ensure coordinated remediation.

At the time of publication, there is no public evidence of active exploitation. However, given the attack’s simplicity and high impact, threat actors could rapidly weaponize it.

Organizations using Plesk, particularly in shared hosting or multi-tenant environments, should treat this vulnerability as a priority.

Immediate patching, access control review, and monitoring for suspicious command execution activity are critical steps to prevent potential compromise.

This incident highlights the ongoing risks of improper input handling in web applications. It reinforces the importance of secure coding practices and timely patch management in reducing the attack surface.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.