Plesk's APS Application Catalog search functionality contains an XPath injection vulnerability (CWE-643) where user-supplied input is interpolated into XPath queries without proper sanitization. An authenticated attacker with low privileges can exploit this to execute arbitrary operating system commands, achieving local privilege escalation. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indica [truncated]
A critical remote code execution vulnerability exists in the Comet Backup server. Insufficient character filtering in the backup agent signing module allows an authenticated tenant administrator to execute arbitrary code with elevated privileges on the affected server and connected devices. The vulnerability was disclosed on May 28, 2026, and carries a CVSS 3.1 score of 9.0 (Critical). The attack vector i [truncated]
CVE-2026-41940 is a WebPros cPanel & WHM and WP2 (WordPress Squared) vulnerability described as a missing authentication issue affecting a critical function. CISA added the issue to its Known Exploited Vulnerabilities catalog on 2026-04-30 and marked it as having known ransomware campaign use, which makes this a high-priority remediation item for any exposed deployment. Because the supplied corpus does no [truncated]
