Full Report
Plesk security advisory (AV26-534)
Analysis Summary
# Vulnerability: Plesk for Linux Remote Code Execution in APS Catalog
## CVE Details
- **CVE ID:** CVE-2026-44962
- **CVSS Score:** 9.8 (Critical) *(Based on standard severity for unauthenticated RCE in this component)*
- **CWE:** Not specifically listed (Likely CWE-94: Improper Control of Generation of Code or CWE-20: Improper Input Validation)
## Affected Systems
- **Products:** Plesk for Linux
- **Versions:**
- Versions prior to 18.0.75.1
- Versions prior to 18.0.76.2
- **Configurations:** Systems with the Application Packaging Standard (APS) Catalog enabled or accessible.
## Vulnerability Description
The vulnerability exists within the APS (Application Packaging Standard) Catalog component of Plesk for Linux. It allows an unauthenticated remote attacker to execute arbitrary code on the server. The flaw stems from insufficient validation of input processed by the APS controller, which can be leveraged to trigger remote code execution with the privileges of the Plesk service.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild, but classified as critical.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total (Full access to server data and hosted customer files)
- **Integrity:** Total (Ability to modify system files and web content)
- **Availability:** Total (Ability to shut down services or delete system data)
## Remediation
### Patches
Plesk has released the following versions to address this vulnerability:
- **Plesk for Linux 18.0.75.1**
- **Plesk for Linux 18.0.76.2** (and all subsequent versions)
Users are advised to run the Plesk installer or use the CLI command `plesk installer update` to ensure they are on the latest micro-update.
### Workarounds
No official workarounds provide full protection. Immediate patching is the recommended course of action given the unauthenticated nature of the vulnerability.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual POST requests directed at APS catalog endpoints. Check for unauthorized files in `/tmp` or unexpected processes running under the `psa` or `root` users.
- **Detection methods and tools:** Standard file integrity monitoring (FIM) and checking the Plesk version via the command line: `plesk version`.
## References
- **Vendor Advisory:** hxxps[://]support[.]plesk[.]com/hc/en-us/articles/38633651286679-Vulnerability-CVE-2026-44962-in-Plesk-s-APS-Catalog
- **Plesk Support:** hxxps[://]support[.]plesk[.]com/hc/en-us
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/plesk-security-advisory-av26-534