{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44962","assignerOrgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","state":"PUBLISHED","assignerShortName":"hackerone","dateReserved":"2026-05-08T15:00:02.447Z","datePublished":"2026-05-29T15:41:23.795Z","dateUpdated":"2026-05-29T16:43:18.000Z"},"containers":{"cna":{"descriptions":[{"lang":"en","value":"Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation."}],"affected":[{"defaultStatus":"unaffected","vendor":"WebPros","product":"Plesk","versions":[{"version":"18.0.75.1","status":"affected","lessThan":"18.0.75.1","versionType":"semver"},{"version":"18.0.76.2","status":"affected","lessThan":"18.0.76.2","versionType":"semver"}]}],"references":[{"url":"https://support.plesk.com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":10,"baseSeverity":"CRITICAL"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","cweId":"CWE-643","description":"CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')"}]}],"providerMetadata":{"orgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","shortName":"hackerone","dateUpdated":"2026-05-29T15:41:23.795Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-29T16:43:11.003611Z","id":"CVE-2026-44962","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-29T16:43:18.000Z"}}]}}