VYPR

Obsidian

by Plesk

CVEs (7)

  • CVE-2025-54336CriAug 19, 2025
    risk 0.64cvss 9.8epss 0.00

    In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.

  • CVE-2022-45130MedNov 10, 2022
    risk 0.42cvss 6.5epss 0.00

    Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are…

  • CVE-2023-24044MedJan 22, 2023
    risk 0.40cvss 6.1epss 0.02

    A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended…

  • CVE-2021-35976MedSep 10, 2021
    risk 0.40cvss 6.1epss 0.01

    The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on…

  • CVE-2020-11583MedAug 3, 2020
    risk 0.40cvss 6.1epss 0.01

    A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.

  • CVE-2025-49618MedJul 3, 2025
    risk 0.38cvss 5.8epss 0.00

    In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

  • CVE-2025-65518Jan 8, 2026
    risk 0.00cvss epss 0.01

    Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload,…