Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.
User-supplied input is inserted directly into XPath queries without proper sanitization (CWE-643). An attacker can craft a malicious query in the APS catalog search field, which will be interpreted by the XPath engine in an unintended manner. As a result, it is possible to execute arbitrary operating system commands on the server, leading to local privilege escalation.
An authenticated user with low privileges can execute arbitrary system commands on the server and obtain a higher level of privileges (privilege escalation), which in practice can result in complete takeover of system control.
Patches available from the vendor should be applied according to the references: https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog
Plesk — versions indicated in vendor references (APS application catalog search function)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H