Filtered by vendor Webpros
Subscriptions
Filtered by product Plesk
Subscriptions
Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-56843 | 1 Webpros | 1 Plesk | 2026-07-14 | 9.9 Critical |
| Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user. | ||||
| CVE-2026-48614 | 1 Webpros | 1 Plesk | 2026-07-07 | 9.9 Critical |
| An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server. | ||||
| CVE-2026-44962 | 1 Webpros | 1 Plesk | 2026-05-30 | 10 Critical |
| Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation. | ||||
Page 1 of 1.