A critical vulnerability (CVE-2026-44962) has been discovered in Plesk, a popular web hosting control panel, that allows low-privileged users to escalate privileges and execute arbitrary commands on affected Linux servers. This security flaw is tied to the XPath injection within the APS Application Catalog search functionality, earning a maximum severity score of CVSS 10.
Plesk has issued patches in versions 18.0.76.2 and 18.0.75.1, but users experiencing delays in implementing these updates must manually disable the vulnerable APS subsystem by modifying the panel.ini configuration file. Regular patch management practices are advised to maintain server security.