Improper Authorization in Plesk XML API Leading to Privilege Escalation
CVE-2026-48614

9.9CRITICAL

Key Information:

Vendor

Webpros

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-48614?

The vulnerability in the Plesk XML API enables an authenticated user to manipulate configuration directives without proper authorization. This flaw facilitates arbitrary file write operations as the root user, compromising the server's security and allowing full privilege escalation. It is crucial for users of affected versions of Plesk to apply necessary security measures to prevent exploitation.

Affected Version(s)

Plesk 0 < 18.0.78

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.