Articles in this section

Vulnerability CVE-2026-56843: Cleartext FTP Password Exposure in Plesk's XML API

Situation

A security vulnerability was discovered in Plesk's XML API protocol that allows cleartext FTP passwords to be exposed. This issue affects XML protocol versions below 1.4.2.0. This security vulnerability has been identified as CVE-2026-56843.

Affected product version

Product Affected versions Patched version
Plesk Below 18.0.79 18.0.79

Impact

Exposure of cleartext FTP credentials is possible, which may allow an attacker to upload malicious files and execute arbitrary code remotely (RCE).

Call to action

Mitigation

Apply this mitigation only if you can't upgrade right now

Mitigate the vulnerability by disabling API access.

To disable API access, edit panel.ini as described in How to edit Plesk panel.ini and add the following section:

CONFIG_TEXT: [api]
enabled = off

Acknowledgements

We would like to thank Georgii Shutiaev for responsibly disclosing this vulnerability and working with us to help protect our customers.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.