Critical severity9.8NVD Advisory· Published Aug 19, 2025· Updated Apr 15, 2026

CVE-2025-54336

Description

In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.aziz.tn/2025/08/cve-2025-54336.html/nvd
support.plesk.com/hc/en-us/articles/33785727869847-Vulnerability-CVE-2025-54336nvd
www.plesk.com/blog/plesk-news-announcements/introducing-plesk-obsidian-18-0-70-anniversary-edition/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000