• Home
  • cyber
  • WebPros: Critical Plesk Vulnerability Enables Arbitrary Command Execution
cyber Vulnerability

WebPros: Critical Plesk Vulnerability Enables Arbitrary Command Execution

May 29, 2026 2 min read
WebPros: Critical Plesk Vulnerability Enables Arbitrary Command Execution

Critical Plesk Vulnerability (CVE-2026-44962) Exposes Linux Servers to Full Takeover

A severe security flaw in WebPros Plesk, a widely used web hosting control panel, has been discovered, allowing authenticated low-privilege attackers to execute arbitrary OS commands and gain full server control. Tracked as CVE-2026-44962, the vulnerability carries a CVSS 3.1 score of 10.0, the highest possible severity rating, posing a critical risk to Linux hosting environments globally.

The flaw resides in Plesk’s APS Application Catalog search functionality, where user-supplied input is improperly sanitized before being interpolated into XPath queries. Classified as CWE-643 (Improper Neutralization of Data within XPath Expressions), this injection vulnerability enables attackers to manipulate query structures, bypass security controls, and trigger unauthorized system-level operations.

Key Details:

  • Disclosure Date: May 29, 2026 (via coordinated bug bounty program).
  • Attack Requirements: Network-accessible, no user interaction, low attack complexity, and only a low-privilege authenticated session (e.g., a standard hosting account).
  • Impact: Arbitrary OS command execution, full local privilege escalation, and high risk to confidentiality, integrity, and availability.
  • Affected Systems: Plesk for Linux with the APS Catalog feature enabled.

This vulnerability follows a prior critical flaw (CVE-2025-66430) disclosed months earlier, which allowed privilege escalation via Apache configuration injection.

Patch & Mitigation:
Plesk released fixes on February 24–25, 2026, for the following versions:

  • Plesk 18.0.76.2 (February 25, 2026)
  • Plesk 18.0.75.1 (February 24, 2026)

Administrators are advised to apply updates immediately. For environments unable to patch, Plesk recommends disabling the APS Catalog feature by adding the following to /usr/local/psa/admin/conf/panel.ini and restarting services:

[aps]
enabled = off

The vulnerability was responsibly disclosed by security researcher Georgii Shutiaev, who coordinated with Plesk to ensure a patch was available before public release. Hosting providers, managed service providers, and enterprises running Plesk on Linux are urged to prioritize remediation due to the flaw’s high severity and ease of exploitation.

Source: https://cyberpress.org/plesk-vulnerability-arbitrary-command-execution/

WebPros cybersecurity rating report: https://www.rankiteo.com/company/webpros

"id": "WEB1780309424",
"linkid": "webpros",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Hosting providers, managed '
                                              'service providers, and '
                                              'enterprises running Plesk on '
                                              'Linux',
                        'industry': 'Web Hosting/IT Services',
                        'name': 'WebPros Plesk',
                        'type': 'Software Vendor'}],
 'attack_vector': 'Network',
 'date_publicly_disclosed': '2026-05-29',
 'description': 'A severe security flaw in WebPros Plesk, a widely used web '
                'hosting control panel, has been discovered, allowing '
                'authenticated low-privilege attackers to execute arbitrary OS '
                'commands and gain full server control. The vulnerability, '
                'tracked as CVE-2026-44962, carries a CVSS 3.1 score of 10.0 '
                'and resides in Plesk’s APS Application Catalog search '
                'functionality due to improper input sanitization in XPath '
                'queries (CWE-643).',
 'impact': {'operational_impact': 'Full server control, arbitrary OS command '
                                  'execution, local privilege escalation',
            'systems_affected': 'Plesk for Linux with APS Catalog feature '
                                'enabled'},
 'post_incident_analysis': {'corrective_actions': 'Patch release and '
                                                  'configuration mitigation '
                                                  '(disabling APS Catalog)',
                            'root_causes': 'Improper input sanitization in '
                                           'XPath queries (CWE-643)'},
 'recommendations': 'Apply patches immediately; disable APS Catalog feature if '
                    'patching is not feasible.',
 'references': [{'source': 'Security Researcher (Georgii Shutiaev)'}],
 'response': {'containment_measures': 'Disable APS Catalog feature via '
                                      '`/usr/local/psa/admin/conf/panel.ini`',
              'remediation_measures': 'Apply patches (Plesk 18.0.76.2 or '
                                      '18.0.75.1)'},
 'title': 'Critical Plesk Vulnerability (CVE-2026-44962) Exposes Linux Servers '
          'to Full Takeover',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2026-44962 (Improper Neutralization of Data '
                            'within XPath Expressions - CWE-643)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.