CVE-2026-44962 WebPros CVE debrief

Who should care

Plesk hosting providers, shared hosting administrators, web hosting security teams, and organizations using Plesk for server management should prioritize this vulnerability due to the common deployment model where multiple low-privileged users share Plesk-managed infrastructure.

Technical summary

The APS Application Catalog in Plesk fails to sanitize user input before incorporating it into XPath queries. This XPath injection flaw allows authenticated users with minimal permissions to manipulate query logic and ultimately execute arbitrary commands on the underlying operating system. The vulnerability represents a significant privilege escalation path, as low-privileged web users can gain full system control. The changed scope (S:C) in CVSS scoring indicates the vulnerable component impacts resources beyond its security authorization.

Defensive priority

critical

Recommended defensive actions

• Apply patches from Plesk when available per vendor security advisory
• Restrict APS Catalog search functionality access to administrative users only until patching
• Monitor authentication logs for unusual APS Catalog search patterns from low-privileged accounts
• Implement input validation and parameterized queries for XPath operations in custom integrations
• Review server process execution logs for unexpected OS commands originating from Plesk web processes

Evidence notes

Vendor identification derived from reference_domain_candidate 'Plesk' with low confidence; requires review. Official Plesk support article confirms vulnerability details.

Official resources