Situation
A security vulnerability allowing local privilege escalation was discovered in Plesk's XML API. This security vulnerability has been identified as CVE-2026-48614.
Affected Product Versions
| Product / Component | Affected Versions | Patched Versions | Unaffected Versions |
|---|---|---|---|
| Plesk XML API | Below 18.0.30 | 18.0.30 - 18.0.78.4 | 18.0.79 and later |
Impact
Local privilege escalation (LPE) is possible. Plesk versions lower than Plesk 18.0.30 are vulnerable.
Call to Action
The vulnerability is fixed in Plesk 18.0.30 and later. Install the latest Plesk updates to remediate the issue.
If updating is not possible, apply the following mitigation:
Disable the Plesk XML API
Disable or restrict access to the Plesk XML API to prevent exploitation. Follow the steps in How to disable or restrict Plesk XML API.
Acknowledgements
We would like to thank Georgii Shutiaev for responsibly disclosing this vulnerability and working with us to help protect our customers.
Comments
Can you please confirm whether this CVE affects Plesk Onyx 17.x installations running on Windows?
Article would be significantly more useful if it explained how one determines if the patch has been installed to one of the versions listed as eligible for patching.
Please sign in to leave a comment.