A critical privilege escalation vulnerability, 'CVE-2026-44962', has been reported in Plesk for Linux, a widely used web hosting control panel. It has been rated with a maximum CVSSv3.1 base score of 10.0. Exploitation by low-privileged authenticated users could allow them to execute arbitrary OS commands on the server and gain root privileges. Although a patch has already been released for this vulnerability, urgent countermeasures are required for unpatched environments.
Vulnerability Overview and Scope of Impact
This vulnerability, 'CVE-2026-44962', stems from an XPath injection flaw in the search function of Plesk for Linux's APS application catalog. Because user-provided input is not properly sanitized before being inserted into XPath queries, attackers can use crafted input to bypass application logic and freely execute OS commands as an authenticated low-privileged user.
This could lead to devastating damage, such as access to sensitive information, website defacement, destruction of server resources, and even complete server takeover. Especially in shared hosting environments and multi-tenant systems, the potential for widespread damage is high, requiring immediate action.
Specific Impacts and Attack Scenarios
If an attacker possesses valid login credentials for Plesk (even if they are very low-privileged), they can inject malicious XPath queries through the APS application catalog's search function. This query is processed by the server's backend, resulting in the execution of arbitrary OS commands intended by the attacker with root privileges.
For example, it is possible to read server configuration files (e.g., `/etc/passwd`), stop critical services, and even upload and execute malware. This poses a risk of complete compromise to websites running Plesk and their associated data.
Measures Engineers Should Take Immediately
The most crucial measure is to promptly update Plesk to the latest version. Plesk has already released versions 18.0.76.2 and 18.0.75.1, which address this vulnerability, in February 2026.
If an urgent update is difficult, it is recommended to disable the APS application catalog function in Plesk's configuration files as a temporary mitigation. Additionally, restricting external access to paths related to the APS catalog in web server settings (e.g., Nginx) is also effective.
# Plesk APS Application Catalogへの不正アクセスをブロック (CVE-2026-44962 緩和策)
# この設定は、Pleskの機能に影響を与える可能性があるため、テスト環境で十分に検証してください。
# Pleskのアップデートが最優先です。
location ~* ^/aps-catalog/ { # APS Catalogのパスに合わせて調整してください
deny all;
return 403;
}
# もしPleskの /aps/ エンドポイント全体を無効化する必要がある場合 (より広範な影響)
# location ~* ^/aps/ {
# deny all;
# return 403;
# }