Articles in this section

Vulnerability CVE-2026-48614 in Plesk XML API

Situation

A security vulnerability allowing local privilege escalation was discovered in Plesk's XML API. This security vulnerability has been identified as CVE-2026-48614.

Affected Product Versions

Product / Component Affected Versions Patched Versions Unaffected Versions
Plesk XML API Below 18.0.30 18.0.30 - 18.0.78.4 18.0.79 and later

Impact

Local privilege escalation (LPE) is possible. Plesk versions lower than Plesk 18.0.30 are vulnerable.

Call to Action

The vulnerability is fixed in Plesk 18.0.30 and later. Install the latest Plesk updates to remediate the issue.

If updating is not possible, apply the following mitigation:

Disable the Plesk XML API

Disable or restrict access to the Plesk XML API to prevent exploitation. Follow the steps in How to disable or restrict Plesk XML API.

Acknowledgements

We would like to thank Georgii Shutiaev for responsibly disclosing this vulnerability and working with us to help protect our customers.

Was this article helpful?

Comments

2 comments
Date Votes
  • Can you please confirm whether this CVE affects Plesk Onyx 17.x installations running on Windows?

    0
  • Article would be significantly more useful if it explained how one determines if the patch has been installed to one of the versions listed as eligible for patching.

    0

Please sign in to leave a comment.