CVE-2026-44962

Published: Mag 29, 2026 Last Modified: Mag 29, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,9

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.

643

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Confidentiality

Potential Impacts:

Bypass Protection Mechanism Read Application Data

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://support.plesk.com/hc/en-us/articles/38633651286679-…

https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-20…

CVE-2026-44962

Description

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter