CVE-2025-54336
CRITICALPlesk Obsidian 18.0.70 - Info Disclosure
Title source: llmDescription
In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.
References (3)
Scores
CVSS v3
9.8
EPSS
0.0006
EPSS Percentile
17.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-697
Status
draft
Timeline
Published
Aug 19, 2025
Tracked Since
Feb 18, 2026