CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-56843

criticalCVSS 9.9covered by 1 sourcefirst seen 2026-07-08
Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.

⚡ Watch CVE-2026-56843

Get an email if CVE-2026-56843 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-56843

CVE.org record

Embed the live status

CVE-2026-56843 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-56843 status](https://www.csirts.com/badge/CVE-2026-56843)](https://www.csirts.com/cve/CVE-2026-56843)