CVE-2026-48614 — Plesk XML API code injection: authenticated low-privilege user to root (CVSS 9.9)
The Centre for Cybersecurity Belgium (CCB) published a standalone "patch immediately" advisory on 8 July for CVE-2026-48614, a CWE-94 (improper control of code generation / code injection) flaw in Plesk's XML API (CCB, 2026-07-08). An authenticated, low-privilege panel user can send a crafted XML-API request that bypasses the intended authorization boundary and injects arbitrary configuration directives into upstream config generation; because input neutralisation is broken, this yields an arbitrary file write performed as root, i.e. local privilege escalation from any authenticated panel account to full root on the hosting server. CCB scores it CVSS 3.1 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) (CCB, 2026-07-08). Plesk's own advisory confirms the CVE and the LPE impact, thanks independent researcher Georgii Shutiaev for the disclosure, and lists affected versions below 18.0.30, patched in 18.0.30 through 18.0.78.4, with 18.0.79 and later unaffected (Plesk, 2026-07-03). Neither CCB nor Plesk reports in-the-wild exploitation at publication. Mapped to T1068 Exploitation for Privilege Escalation.
The prerequisite is only a valid low-privilege authenticated session — and that is the point for defenders: on multi-tenant shared-hosting Plesk installs, every hosting customer already holds such an account, so the flaw collapses tenant isolation and turns any customer into a path to root on the shared server and thus to every co-tenant's sites and data. Plesk is broadly deployed across Swiss and EU web-hosting providers and public-sector/SME web infrastructure, which is why CCB — a national authority (Admiralty A) — escalated it rather than leaving it to routine patching.
An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives.
The exploitation of this flaw can result in an arbitrary file write as the root user, leading to local privilege escalation (LPE).
Defender actions
- Patch Plesk to 18.0.30+ (or 18.0.79+ for the fully unaffected line) now; if patching is delayed, disable or access-restrict the XML API per CCB/Plesk guidance.
- On multi-tenant Plesk installs, monitor XML-API access logs for authenticated accounts issuing calls outside their normal automation pattern, and alert on unexpected root-owned file writes under Plesk config directories immediately after such calls.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.