CVE-2026-56843 is an incorrect authorization vulnerability in the XML-RPC/XML API of WebPros Plesk affecting versions before 18.0.78.4, including legacy XML protocol versions below 1.4.2.0. A low-privileged authenticated customer can query domain records they do not own because ownership checks are enforced only for certain lookup filters, and schema validation can be bypassed for legacy protocol versions. As a result, an attacker can retrieve other tenants' FTP credentials, which are stored in cleartext, causing cross-tenant information disclosure. The exposed credentials can then be used to access another tenant's FTP service and upload malicious files, potentially leading to code execution as that tenant's system user.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An incorrect authorization vulnerability in the XML-RPC API of WebPros Plesk that allows a low-privileged authenticated customer to access other tenants' domain information and disclose cleartext FTP credentials, potentially enabling code execution as another tenant's system user.
A vulnerability in Plesk's XML API protocol that exposes cleartext FTP passwords, potentially enabling attackers to upload malicious files and achieve remote code execution.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.