Critical Plesk Vulnerability Lets Authenticated Users Execute Arbitrary Commands on the Server
A critical XPath injection vulnerability in Plesk, CVE-2026-44962, allows authenticated users to execute arbitrary OS commands on affected servers, with patches now available.
A newly disclosed critical vulnerability in Plesk, tracked as CVE-2026-44962, is raising serious security concerns after researchers confirmed it can allow authenticated users to execute arbitrary operating system commands on affected servers. The issue, published in the National Vulnerability Database and GitHub Advisory Database, affects the APS Application Catalog component and has been assigned a critical CVSS score due to its high impact on confidentiality, integrity, and availability.
The vulnerability stems from an XPath injection flaw in the APS Catalog search functionality. Specifically, user-supplied input is improperly handled and directly incorporated into XPath queries without adequate sanitization. This weakness, categorized under CWE-643, allows attackers to manipulate query logic and control how data is retrieved from XML-based storage. In practice, a low-privileged, authenticated user can exploit this flaw to escalate privileges and execute arbitrary commands on the underlying server.
Because the attack requires only network access and minimal privileges and does not depend on user interaction, it significantly lowers the barrier for exploitation in real-world environments. The vulnerability also operates with a changed scope, meaning it can impact resources beyond its original security boundary. Security researchers note that XPath injection vulnerabilities are particularly dangerous in web applications that rely on XML data processing, as they can bypass traditional input validation controls.
Plesk has acknowledged the issue and released patched versions to address the flaw. The vulnerability has been fixed in Plesk versions 18.0.76.2 and 18.0.75.1, which were made available in late February 2026. Users are strongly advised to update their installations immediately to mitigate the risk of exploitation. For environments where immediate patching is not feasible, Plesk has provided a temporary workaround: administrators can turn off the APS Catalog functionality by modifying the panel configuration file at /usr/local/psa/admin/conf/panel.ini.
The vulnerability was responsibly disclosed by security researcher Georgii Shutiaev, who collaborated with Plesk to ensure coordinated remediation. At the time of publication, there is no public evidence of active exploitation. However, given the attack's simplicity and high impact, threat actors could rapidly weaponize it. Organizations using Plesk, particularly in shared hosting or multi-tenant environments, should treat this vulnerability as a priority.
Immediate patching, access control review, and monitoring for suspicious command execution activity are critical steps to prevent potential compromise. This incident highlights the ongoing risks of improper input handling in web applications and reinforces the importance of secure coding practices and timely patch management in reducing the attack surface.