Vulnerability CVE-2026-44962 in Plesk's APS Catalog

Situation

A security vulnerability allowing local privileges escalation was discovered in search functionality of Plesk's APS Catalog. This security vulnerability has been identified as CVE-2026-44962.

Impact

Local privilege escalation (LPE) is possible.

Call to action

On February 24 and 25, 2026, the Plesk Team published fixed versions of Plesk: 18.0.76.2 and 18.0.75.1. 

Update Plesk to install it by following the steps from this guide: How to install Plesk updates

Mitigation

If upgrading is not possible at the moment, apply the workaround below by adding the below section into the /usr/local/psa/admin/conf/panel.ini file.

CONFIG_TEXT: [aps]
enabled = off

Acknowledgements

We would like to thank Georgii Shutiaev for responsibly disclosing this vulnerability and working with us to help protect our customers.