A critical security vulnerability, identified as CVE-2026-44962, has been discovered in Plesk’s APS Application Catalog component. This flaw allows authenticated users to execute arbitrary operating system commands on affected servers, posing a significant risk to confidentiality, integrity, and availability.
Understanding the Vulnerability
The root cause of this vulnerability is an XPath injection flaw within the APS Catalog’s search functionality. Specifically, user-supplied input is improperly handled and directly incorporated into XPath queries without adequate sanitization. This oversight enables attackers to manipulate query logic and control how data is retrieved from XML-based storage.
In practical terms, a low-privileged, authenticated user can exploit this flaw to escalate privileges and execute arbitrary commands on the underlying server. The attack requires only network access and minimal privileges, without any user interaction, making it relatively easy to exploit in real-world environments. Furthermore, the vulnerability operates with a changed scope, meaning it can impact resources beyond its original security boundary.
Potential Impact
The exploitation of this vulnerability can lead to severe consequences, including:
– Unauthorized Access: Attackers can gain unauthorized access to sensitive data and system resources.
– Data Manipulation: Malicious actors can alter or delete critical data, compromising data integrity.
– System Compromise: The ability to execute arbitrary commands can lead to full system compromise, allowing attackers to install malware, create backdoors, or disrupt services.
Mitigation Measures
Plesk has acknowledged the issue and released patched versions to address the flaw. The vulnerability has been fixed in Plesk versions 18.0.76.2 and 18.0.75.1, which were made available in late February 2026. Users are strongly advised to update their installations immediately to mitigate the risk of exploitation.
For environments where immediate patching is not feasible, Plesk has provided a temporary workaround. Administrators can disable the APS Catalog functionality by modifying the panel configuration file at `/usr/local/psa/admin/conf/panel.ini`. While this reduces exposure, it is not a substitute for applying the official security update.
Broader Context
This incident underscores the critical importance of proper input handling in web applications. XPath injection vulnerabilities are particularly dangerous in applications that rely on XML data processing, as they can bypass traditional input validation controls. The improper neutralization of input enables attackers to craft malicious queries that effectively alter backend execution behavior.
Security researchers note that such vulnerabilities highlight the ongoing risks associated with improper input handling and reinforce the necessity of secure coding practices and timely patch management to reduce the attack surface.
Recommendations for Administrators
1. Immediate Patching: Update Plesk installations to the latest versions (18.0.76.2 or 18.0.75.1) to address the vulnerability.
2. Temporary Workaround: If immediate patching is not possible, disable the APS Catalog functionality by modifying the panel configuration file.
3. Access Control Review: Review and restrict user permissions to minimize the risk of exploitation by low-privileged users.
4. Monitoring: Implement monitoring for suspicious command execution activity to detect potential exploitation attempts.
5. Secure Coding Practices: Ensure that all user inputs are properly sanitized and validated to prevent injection vulnerabilities.
Conclusion
The discovery of CVE-2026-44962 in Plesk’s APS Application Catalog component serves as a stark reminder of the importance of robust security practices in web application development and maintenance. By promptly applying patches, implementing temporary workarounds where necessary, and adhering to secure coding standards, organizations can protect their systems from potential exploitation and maintain the integrity of their data and services.
