Situation
A security vulnerability allowing local privilege escalation was discovered in Plesk's XML API. This security vulnerability has been identified as CVE-2026-48614.
Affected Product Versions
| Product / Component | Affected Versions | Patched Versions | Unaffected Versions |
|---|---|---|---|
| Plesk XML API | Below 18.0.30 | 18.0.30 - 18.0.78.4 | 18.0.79 and later |
Impact
Local privilege escalation (LPE) is possible. Plesk versions lower than Plesk 18.0.30 are vulnerable.
Call to Action
The vulnerability is fixed in Plesk 18.0.30 and later. Install the latest Plesk updates to remediate the issue.
If updating is not possible, apply the following mitigation:
Disable the Plesk XML API
Disable or restrict access to the Plesk XML API to prevent exploitation. Follow the steps in How to disable or restrict Plesk XML API.
Acknowledgements
We would like to thank Georgii Shutiaev for responsibly disclosing this vulnerability and working with us to help protect our customers.
Comments
Please sign in to leave a comment.