cvedb.io
CVE-2026-44962
CRITICAL · CVSS 9.9
EPSS exploitation probability: 0%
Published 2026-05-29T16:16:27.567 · Last modified 2026-06-17T10:51:32.520

Summary

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.