XPath Injection Vulnerability in Plesk APS Application Catalog
CVE-2026-44962

10CRITICAL

Key Information:

Vendor: Webpros
Status: Plesk
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-44962?

The Plesk APS Application Catalog is vulnerable to XPath injection due to insufficient sanitization of user-supplied input in its search functionality. This flaw allows authenticated users with low privileges to manipulate XPath queries, potentially executing arbitrary commands on the server. Such exploitation can lead to local privilege escalation, compromising the security of the entire system.

Affected Version(s)

Plesk 18.0.75.1

Plesk 18.0.76.2

References

https://support.plesk.com/hc/en-us/articles/3863365128667...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-44962 Data

JSON

Webpros

What is CVE-2026-44962?

Affected Version(s)

References

CVSS V3.1

Timeline