Primary

Context

Plesk Obsidian Denial-of-Service Vulnerability in get_password.php Endpoint

Vulnerability

A denial-of-service vulnerability has been identified in Plesk Obsidian versions 8.0.1 prior to 18.0.73. The issue arises in the get_password.php endpoint, where a crafted request with a malicious payload can cause the web interface to enter a continuous reload loop. This behavior disrupts service availability for legitimate users. The vulnerability can be exploited remotely and without authentication, leading to a persistent impact on the affected Plesk Obsidian instance.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, where the web interface becomes unresponsive to legitimate users due to continuous reloads induced by the crafted request.

Reproduction

To reproduce this vulnerability, access a Plesk Obsidian instance running a vulnerable version. Send a crafted request to the get_password.php endpoint with a malicious payload. The web interface will begin to reload continuously, generating excessive Bad Requests and rendering the service unusable.

Added: Jan 8, 2026, 7:41 PM

Updated: Jan 8, 2026, 7:41 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.6

remediation

0.0

relevance

1.9

threat

1.6

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.6

remediation

0.0

relevance

1.9

threat

1.6

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Plesk Obsidian Denial-of-Service Vulnerability in get_password.php Endpoint

Vulnerability

Impact

Reproduction

Affected Products

Plesk Obsidian

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating