CVE-2025-49618

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-49618
In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

5.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.linkedin.com/posts/gaetano-cesano-976420200_qualche-giorno-fa-stavo-testando-plesk-obsidian-activity-7341794923198709761-by9G
https://www.plesk.com/blog/plesk-news-announcements/plesk-obsidian-18-0-69-is-here/
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) En Plesk Obsidian 18.0.69, las solicitudes no autenticadas a /login_up.php pueden revelar un AWS accessKeyId, un secretAccessKey, una regiĆ³n y un endpoint.

03 Jul 2025, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-03 13:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-49618

Mitre link : CVE-2025-49618

CVE.ORG link : CVE-2025-49618

JSON object : View

Products Affected

No product.

CWE
CWE-402

Transmission of Private Resources into a New Sphere ('Resource Leak')