Back to overview

CVE-2026-56843

CRITICAL
9.9
CVSS 3.1
Description
Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.

Metadata

CVE ID
CVE-2026-56843
State
PUBLISHED
Assigner
hackerone
Reserved
2026-06-23 15:00 UTC
Published
2026-07-08 00:15 UTC
Last updated
2026-07-08 00:15 UTC
Primary CWE
CWE-522
CWE-522 Insufficiently Protected Credentials
Vendor / Product
Webpros / Plesk
Sources
cve.org  ·  NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
Webpros Plesk 10.4 < 18.0.78.4
Weakness (CWE)
CWESourceDescription
CWE-522 cna CWE-522 Insufficiently Protected Credentials
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.9 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Back to overview