No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Sat, 11 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross‑Tenant FTP Credential Exposure via Weak XML‑RPC Authorization in Plesk |
Fri, 10 Jul 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross-Tenant FTP Credential Disclosure via XML-RPC API Authorization Bypass |
Thu, 09 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Cross-Tenant FTP Credential Disclosure via XML-RPC API Authorization Bypass |
Wed, 08 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 02:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Webpros
Webpros plesk |
|
| Vendors & Products |
Webpros
Webpros plesk |
Wed, 08 Jul 2026 01:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user. | |
| Weaknesses | CWE-522 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: hackerone
Published:
Updated: 2026-07-08T13:04:17.023Z
Reserved: 2026-06-23T15:00:03.632Z
Link: CVE-2026-56843
Updated: 2026-07-08T13:04:13.970Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-11T20:00:08Z