Critical Plesk Vulnerability Lets Low-Privileged Users Run Commands on Linux Servers

A critical Plesk vulnerability can allow an authenticated low-privileged user to execute arbitrary operating system commands on an affected Linux server. The flaw is tracked as CVE-2026-44962 and affects the APS Application Catalog search functionality.

The Plesk security article says the issue allows local privilege escalation. That makes it especially important for shared hosting and multi-tenant environments where customers, resellers, or additional users may have limited access to the same Plesk server.

This is not a no-login remote attack. The attacker needs authentication with low privileges, but the impact remains severe because successful exploitation can cross the expected account boundary and affect the underlying server.

What CVE-2026-44962 allows

The vulnerability exists in the APS Application Catalog search feature. According to the GitHub Advisory Database, user-supplied input is inserted into XPath queries without proper sanitization.

The weakness is mapped to CWE-643, which covers improper neutralization of data inside XPath expressions. XPath injection lets an attacker change how a query behaves, which can affect access checks, application logic, or backend operations.

In this case, the impact goes beyond reading XML data. The advisory states that a low-privileged authenticated user can execute operating system commands on the server, resulting in local privilege escalation.

Key details at a glance

Item	Details
CVE	CVE-2026-44962
Affected product	Plesk for Linux
Affected component	APS Application Catalog search functionality
Weakness type	XPath injection
Privileges required	Low
User interaction	None
CNA CVSS score	9.9 Critical
Fixed versions	Plesk 18.0.76.2 and 18.0.75.1

The NVD record says NVD enrichment is still pending, but the CNA score from HackerOne is listed as CVSS 3.1 9.9 Critical. The vector shows network access, low attack complexity, low privileges required, no user interaction, changed scope, and high impact to confidentiality, integrity, and availability.

The changed scope is important. It means the vulnerable component can affect resources beyond its original security boundary, which explains why hosting providers should treat this as more than a normal control panel bug.

Why shared hosting providers should prioritize the patch

Plesk is commonly used to manage websites, domains, mail, databases, and customer accounts from a single hosting control panel. In shared hosting setups, users with limited access may still interact with server-side features through the panel.

That model raises the risk of privilege escalation vulnerabilities. If one low-privileged user can trigger command execution, a hosting provider may face a broader server compromise rather than an issue limited to one subscription.

The vulnerability also affects a component that many administrators may not think about often. APS Catalog functionality can sit outside the daily patch checklist, especially on older or stable hosting servers that run with minimal changes.

Fixed versions are already available

Plesk says the fix was released in Plesk 18.0.76.2 and 18.0.75.1. The Plesk Obsidian change log lists Plesk Obsidian 18.0.76 Update 2 on February 24, 2026, and Plesk Obsidian 18.0.75 Update 1 on February 25, 2026, both noting that they addressed a critical security issue.

Administrators should update Plesk as soon as possible. For internet-facing hosting panels, delayed patching increases the chance that attackers will look for low-privileged accounts they can use as an entry point.

Servers that already run a fixed build should still get reviewed. Administrators should confirm the installed Plesk version, verify that updates completed successfully, and check whether any suspicious activity occurred before the patch was applied.

Temporary workaround if patching is delayed

The Plesk workaround is to disable APS Catalog by adding the following section to the panel.ini configuration file at /usr/local/psa/admin/conf/panel.ini:

[aps]
enabled = off

This workaround reduces exposure, but it should not replace the official update. Administrators should use it only when they cannot patch immediately, then schedule the Plesk update as soon as possible.

After changing panel.ini, teams should verify that APS Catalog functionality no longer operates as expected and monitor the panel for errors or user reports. They should also document the change so it does not remain as an unmanaged workaround after patching.

How XPath injection becomes a server risk

XPath injection usually starts when an application builds an XPath query from user-controlled data. The MITRE CWE entry explains that this can let an attacker control the structure of the query, read restricted XML content, bypass checks, or alter application flow.

For a hosting control panel, the risk depends on what the vulnerable feature can reach after the query changes. In CVE-2026-44962, the flaw is severe because exploitation can lead to arbitrary command execution on the server.

That is why input handling flaws in administrative interfaces deserve close attention. Even a search field can become dangerous if user input reaches backend query logic without strict validation and safe query construction.

What administrators should do now

• Check every Plesk for Linux server for version 18.0.76.2, 18.0.75.1, or a later fixed build.
• Update Plesk immediately on affected servers.
• If immediate patching is not possible, disable APS Catalog through panel.ini.
• Review low-privileged Plesk accounts, customer accounts, and additional user accounts.
• Check logs for suspicious APS Catalog search activity or unusual panel requests.
• Look for unexpected command execution, new cron jobs, changed system files, or unfamiliar admin users.
• Restrict panel access to trusted IP ranges where business requirements allow it.
• Enable stronger authentication and remove unused Plesk accounts.

The GitHub advisory lists the issue as critical with a CVSS 3.1 score of 9.9. It also confirms that the attack requires low privileges, works over the network, and needs no user interaction.

The Plesk release notes do not provide full vulnerability details in the February entries, but they show the timing of the critical security updates. The dedicated support article now connects CVE-2026-44962 to those fixed builds.

Why monitoring still matters after patching

Patching closes the known flaw, but administrators should still look for signs of earlier abuse. A successful attacker may create persistence, add users, deploy web shells, modify scheduled tasks, or change server configuration after gaining command execution.

Hosting providers should review system logs, Plesk panel logs, authentication logs, and customer account activity. They should also inspect recent file changes in web roots and administrative directories, especially on servers that had untrusted customer accounts before patching.

There is no public evidence of active exploitation at the time of writing, but critical privilege escalation flaws in hosting control panels can attract fast attention once technical details become widely available. Administrators should not wait for exploitation reports before updating.

FAQ