Critical severity9.9NVD Advisory· Published May 29, 2026· Updated May 29, 2026
CVE-2026-44962
CVE-2026-44962
Description
Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
Affected products
1Patches
Vulnerability mechanics
References
1News mentions
2- ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and MoreThe Hacker News · Jun 1, 2026
- Critical Plesk Vulnerability Let Users Execute Arbitrary Commands on the ServerCyber Security News · Jun 1, 2026