Plesk: Multiple Critical Security Vulnerabilities (CVE-2026-48614, CVE-2026-56843)


This text was generated using artificial intelligence (AI).Update July 8, 2026: In addition, CVE-2026-56843 (CVSS 9.9) has been disclosed, which allows FTP passwords to be exposed in plain text via the XML-RPC API. A patch for this vulnerability is available in version 18.0.78.4. See below for details.

On July 6, 2026, the vendor WebPros disclosed a critical vulnerability in the widely used web hosting control panel Plesk. The vulnerability, identified as CVE-2026-48614, was awarded a CVSS score of 9.9 (critical) Rated. It affects the XML API and allows an authenticated attacker with limited privileges to gain administrative control over the entire server due to a faulty authorization check.