This text was generated using artificial intelligence (AI).Update July 8, 2026: In addition, CVE-2026-56843 (CVSS 9.9) has been disclosed, which allows FTP passwords to be exposed in plain text via the XML-RPC API. A patch for this vulnerability is available in version 18.0.78.4. See below for details.
On July 6, 2026, the vendor WebPros disclosed a critical vulnerability in the widely used web hosting control panel Plesk. The vulnerability, identified as CVE-2026-48614, was awarded a CVSS score of 9.9 (critical) Rated. It affects the XML API and allows an authenticated attacker with limited privileges to gain administrative control over the entire server due to a faulty authorization check.
Key Facts:
CVE IDs: CVE-2026-48614, CVE-2026-56843
CVSS Score: 9.9 (Critical) each
Affected software: Plesk (Manufacturer: WebPros)
CVE-2026-48614: Specific affected versions were not specified at the time of disclosure; for the latest information, please refer to the Vendor Advisory.
CVE-2026-56843: Plesk Obsidian < 18.0.78.4
Attack vector: Configuration directive injection via the XML API (CVE-2026-48614); authorization flaw in the XML-RPC API (CVE-2026-56843)
Effect: Escalation of user privileges (privilege escalation) up to root privileges and complete compromise of the server; disclosure of FTP passwords in plain text.
Technical Analysis: CVE-2026-48614
The vulnerability is classified as „Improper Authorization.“ An attacker who already has valid, low-privileged access to the system—for example, as a customer of a shared hosting service—can send specially crafted requests to the XML API. Due to insufficient authorization checks, the system executes these requests with administrative (root) privileges.
The CVSS score CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H illustrates the high risk:
AV:N (Attack Vector: Network): The attack can be carried out over the network.
AC:L (Attack Complexity: Low): It doesn't require any complicated preparation.
PR:L (Privileges Required: Low): Limited user privileges are sufficient.
S:C (Scope: Changed): The vulnerability in the Plesk component affects the entire host system.
The combination of these factors allows an attacker to write arbitrary files to the server and thus take control of all hosted websites, databases, and configurations. According to the vendor, there is no evidence of active exploitation to date.
Technical Analysis: CVE-2026-56843
CVE-2026-56843 affects the XML-RPC API of Plesk Obsidian in versions prior to 18.0.78.4. Due to a flawed authorization check, an authenticated attacker with low privileges can query domains that they do not own and retrieve FTP passwords in plain text. The CVSS score is identical to that of CVE-2026-48614 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), which underscores the comparable criticality.
Disclosing login credentials in plain text allows an attacker to move laterally within the system, compromise additional accounts, and potentially gain complete control over the server. A patch for CVE-2026-56843 is available in version 18.0.78.4 Available. Administrators should update to this version immediately.
CVE-2026-48614 and CVE-2026-56843 are part of a recurring pattern of critical vulnerabilities in WebPros. As early as May 2026, CVE-2026-44962 was disclosed with a CVSS score of 10.0—an XPath injection in the APS Application Catalog that also allowed for complete server takeovers. Previously, CVE-2025-66430 (December 2025) had revealed a similar privilege escalation path via the Password-Protected-Directories feature. This pattern underscores the importance of continuous vendor risk management for companies using WebPros products.
Recommended countermeasures
Plesk server administrators should take immediate action to protect their systems. The vendor recommends the following steps:
Primary Action: Check for Available Security Updates
The most important step is to immediately check for security updates for the Plesk installation. For CVE-2026-56843 is a patch in version 18.0.78.4 Available — Administrators should update to this version immediately. For CVE-2026-48614 Administrators should use the built-in update feature and the Vendor Advisory Monitor for the latest patch information as soon as a patched version becomes available.
Temporary Measure: Restrict Access to the XML API
If an immediate update is not possible, the Vendor Advisory states that, as a temporary measure, access to the XML API can be restricted to trusted IP addresses. This configuration in the file panel.ini Reduces the attack surface, but does not replace the necessary patch.
Continuous vulnerability management is essential to being prepared for such threats.
DACH Relevance and Regulatory Classification
Plesk is widely used in data centers across Germany, Austria, and Switzerland (DACH) and by managed hosting providers. Companies and service providers that operate Plesk instances should assess whether a successful attack could affect personal data—in which case, the GDPR reporting obligation under Article 33 applies, requiring notification to the competent data protection authority within 72 hours. Companies subject to NIS 2 should also assess whether Plesk installations are part of their reportable infrastructure and document the corresponding measures.
How EASM and VRM Reduce Risk
Vulnerabilities such as CVE-2026-48614 and CVE-2026-56843 highlight just how critical it is to continuously monitor the external attack surface. Plesk installations are often part of a company’s or its service providers’ externally accessible infrastructure—and are frequently operated as shadow IT, without security managers having a complete overview of all exposed instances.
One External Attack Surface Management (EASM) LocateRisk automatically identifies such systems—even if they are part of shadow IT or run on third-party infrastructure. The platform detects externally accessible Plesk panels and enables security teams to quickly locate affected instances and check their patch status.
In addition, there is a Continuous Vendor Risk Management (C-VRM) crucial. The pattern of recurring critical vulnerabilities in WebPros illustrates why the continuous assessment of the security status of suppliers and their products is essential. This enables companies to make informed decisions about the use of third-party software and identify risks in the supply chain at an early stage.
LocateRisk operates its platform in German data centers and helps companies comply with GDPR requirements, maintain their digital sovereignty, and document their compliance with regulatory requirements in a verifiable manner.
LocateRisk continuously identifies and assesses vulnerabilities in your external IT systems. Proactively protect your business from attacks. Start a free security check
CVE-2026-48614 and CVE-2026-56843 are critical vulnerabilities in the XML API and XML-RPC API, respectively, of WebPros' Plesk web hosting control panel. CVE-2026-48614 allows an authenticated attacker with low privileges to inject arbitrary configuration directives due to a faulty authorization check, thereby gaining root privileges on the affected server. CVE-2026-56843 allows a low-privileged attacker to read FTP passwords in plain text and move laterally within the system. With a CVSS score of 9.9 each, both are among the most severe known vulnerabilities in hosting software.
For CVE-2026-56843 Plesk Obsidian versions prior to 18.0.78.4 are affected; a patch is available in version 18.0.78.4 available. For CVE-2026-48614 As of the disclosure on July 6, 2026, WebPros had not published any specific affected version numbers; nor has a specific patched version been confirmed to date. Administrators should Vendor Advisory Check regularly for the latest patch information and install available updates immediately.
For CVE-2026-56843 Administrators should immediately upgrade to version 18.0.78.4 Update. For CVE-2026-48614 WebPros recommends, as a temporary measure, restricting access to the XML API to trusted IP addresses — this can be configured via the file panel.ini. This measure reduces the attack surface but does not replace an official security patch. According to the manufacturer, there is no evidence of active exploitation of these vulnerabilities as of the time of publication.
CVE Quick Check
In just a few minutes, check whether there are any indications of a current CVE on your externally visible attack surface.
A rough estimate in just a few minutes via email.
Learn more during a free consultation with a LocateRisk consultant.
You'll receive this by email
companyYour Company, LLC
Verified CVECVE-2024-3094
Passive Assessment
Information About the CVENotes found
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.