Facebook
Twitter
Hangover2
Regular Pleskian
Username:
TITLE
Critical security issue fixed on 24–25 February 2026 (Plesk Obsidian 18.0.75 Update 1 / 18.0.76 Update 2) — request for vulnerability details for NIS2 compliance
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Obsidian 18.0.75 Update 1 and Plesk Obsidian 18.0.76 Update 2
PROBLEM DESCRIPTION
The changelogs for the following releases state that they “address a critical security issue” but provide no actionable information (e.g., CVE/vendor ID, affected components, severity, impact).
For operators subject to the EU NIS2 Directive (Directive (EU) 2022/2555), this lack of information makes it difficult to properly identify, assess, document, and (if applicable) report significant incidents within mandated timelines. In particular, the incident handling and reporting obligations require timely clarity on severity, impact, likely root cause, and potential indicators of compromise.
Additionally, NIS2 places explicit governance and oversight obligations on the management body; inadequate information from a critical vendor security update materially increases compliance risk for affected customers.
STEPS TO REPRODUCE
a) Open the Plesk changelog entries for:
- Plesk Obsidian 18.0.75 Update 1
- Plesk Obsidian 18.0.76 Update 2
b) Observe the generic statement:
- "This update addresses a critical security issue. We strongly recommend that you apply it as soon as possible."
ACTUAL RESULT
No details are provided about the security fix(es), preventing customers from assessing exposure, determining severity, checking for compromise, and preparing compliant documentation/reporting where required.
EXPECTED RESULT
For this specific “critical security issue,” please provide at least the following:
a) CVE identifier(s) and/or Plesk vendor vulnerability ID
b) Affected component(s) and affected versions / configurations
c) Impact description (what an attacker can do, under which prerequisites and context)
d) Severity rating (CVSS score/vector or equivalent)
e) Whether you are aware of active exploitation in the wild or targeted attacks
f) Discovery / disclosure timeline (approximate date of discovery)
If full details cannot be published immediately, a minimum interim advisory (IDs, scope, severity, and mitigation guidance) would already be helpful for compliance and risk management.
ANY ADDITIONAL INFORMATION
Customers subject to NIS2 (e.g., German operators reporting to the BSI, as applicable) may need to assess whether this constitutes a significant incident and document/report accordingly. Without basic vulnerability metadata and scope, it is not possible to perform this assessment reliably.
This is not only an organizational compliance issue: NIS2 places explicit accountability on the management body, and national implementations (e.g., Germany) can create financial risk through:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Answer the question
TITLE
Critical security issue fixed on 24–25 February 2026 (Plesk Obsidian 18.0.75 Update 1 / 18.0.76 Update 2) — request for vulnerability details for NIS2 compliance
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Obsidian 18.0.75 Update 1 and Plesk Obsidian 18.0.76 Update 2
PROBLEM DESCRIPTION
The changelogs for the following releases state that they “address a critical security issue” but provide no actionable information (e.g., CVE/vendor ID, affected components, severity, impact).
For operators subject to the EU NIS2 Directive (Directive (EU) 2022/2555), this lack of information makes it difficult to properly identify, assess, document, and (if applicable) report significant incidents within mandated timelines. In particular, the incident handling and reporting obligations require timely clarity on severity, impact, likely root cause, and potential indicators of compromise.
Additionally, NIS2 places explicit governance and oversight obligations on the management body; inadequate information from a critical vendor security update materially increases compliance risk for affected customers.
STEPS TO REPRODUCE
a) Open the Plesk changelog entries for:
- Plesk Obsidian 18.0.75 Update 1
- Plesk Obsidian 18.0.76 Update 2
b) Observe the generic statement:
- "This update addresses a critical security issue. We strongly recommend that you apply it as soon as possible."
ACTUAL RESULT
No details are provided about the security fix(es), preventing customers from assessing exposure, determining severity, checking for compromise, and preparing compliant documentation/reporting where required.
EXPECTED RESULT
For this specific “critical security issue,” please provide at least the following:
a) CVE identifier(s) and/or Plesk vendor vulnerability ID
b) Affected component(s) and affected versions / configurations
c) Impact description (what an attacker can do, under which prerequisites and context)
d) Severity rating (CVSS score/vector or equivalent)
e) Whether you are aware of active exploitation in the wild or targeted attacks
f) Discovery / disclosure timeline (approximate date of discovery)
If full details cannot be published immediately, a minimum interim advisory (IDs, scope, severity, and mitigation guidance) would already be helpful for compliance and risk management.
ANY ADDITIONAL INFORMATION
Customers subject to NIS2 (e.g., German operators reporting to the BSI, as applicable) may need to assess whether this constitutes a significant incident and document/report accordingly. Without basic vulnerability metadata and scope, it is not possible to perform this assessment reliably.
This is not only an organizational compliance issue: NIS2 places explicit accountability on the management body, and national implementations (e.g., Germany) can create financial risk through:
- significant administrative fines for breaches of key obligations, and
- potential personal civil liability exposure for management if required cybersecurity measures and oversight cannot be demonstrated, especially if delayed or insufficient action leads to damages.
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Answer the question
