CVE-2026-44962: XPath Injection Enables Local Privilege Escalation in Plesk

A significant security flaw has been identified in the Plesk control panel ecosystem, presenting a high-risk vector for local privilege escalation. Tracked as CVE-2026-44962, this vulnerability allows authenticated users with minimal permissions to bypass security boundaries and execute arbitrary operating system commands on the underlying Linux host.

The flaw resides within the APS (Application Packaging System) Application Catalog’s search functionality. From a technical standpoint, the issue stems from improper input sanitization, which allows an attacker to manipulate backend queries. While much of the industry’s focus remains on SQL injection, this case serves as a stark reminder that XPath injection can be equally devastating when it intersects with administrative or system-level processes.

Technical Breakdown: From Injection to Command Execution

The root cause is an insecure design pattern where user-supplied strings are directly concatenated into XPath queries used by the APS catalog. By injecting specialized XPath syntax, an attacker can break out of the intended query logic. In the context of Plesk, this logic is tightly coupled with administrative functions, meaning a successful injection doesn’t just leak data—it provides a bridge to the system shell.

For administrators managing multi-tenant environments or shared hosting servers, the implications are severe. An attacker occupying a low-privileged user account can escalate their reach, moving laterally across the system to achieve full server compromise. This effectively nullifies the isolation expected in a multi-user hosting environment.

  1. Vulnerability Profile & Remediation

While the initial GitHub Advisory did not explicitly list all impacted versions, Plesk has since confirmed the release of critical security patches. If you are running Plesk for Linux, you should verify your current version immediately.

Attribute Technical Details
CVE Identifier CVE-2026-44962
Affected Product Plesk for Linux
Vulnerability Class XPath Injection / Command Injection
Impact Severity Critical (Local Privilege Escalation)
Fixed Versions 18.0.76.2 and 18.0.75.1

Immediate Action Required: It is strongly recommend upgrading to the patched versions listed above. Automated patch management should be prioritized to close this window of exploitation.

Temporary Mitigation Strategies

If your organization cannot perform an immediate upgrade due to change management constraints, Plesk has outlined a temporary workaround to reduce the attack surface. You can disable the vulnerable APS functionality by modifying the system configuration:

  1. Access the server via SSH.
  2. Locate the panel configuration file: /usr/local/psa/admin/conf/panel.ini
  3. Add the appropriate configuration entry to disable APS support.

Note: This is a tactical mitigation, not a permanent fix. Disabling APS may limit certain administrative capabilities, so it should only be used as a stopgap until patching is complete.

The discovery and responsible disclosure of CVE-2026-44962 by researcher Georgii Shutiaev highlights the ongoing battle to secure web hosting control panels. As threat actors increasingly automate scans for known vulnerabilities, the time between disclosure and exploitation is shrinking.

Organizations must move beyond reactive security and adopt a proactive stance—prioritizing strict input validation, consistent patch deployment, and rigorous monitoring of server logs to detect signs of attempted exploitation.

Related Articles

Back to top button