Issue This update addresses a critical security issue. We strongly recommend that you apply it as soon as possible.

[Azurel]

Server operating system version

AlmaLinux 8.10

Plesk version and microupdate number

18.0.74#2

In Changelog I found this

This update addresses a critical security issue. We strongly recommend that you apply it as soon as possible.

for Plesk Obsidian 18.0.74 Update 2 and Plesk Obsidian 18.0.73 Update 5.

If this is so very important, why is no corresponding notification sent to the admin account by email? I receive an email when an update has been installed automatically, but not when urgent action is required? Or has anyone received such a notice?

 

[Sebahat.hadzhi]

Plesk (and most control panels) generally do not send proactive “security advisory” emails to server admins, even when an update contains a security patch. What you can do is to sign up for our Release Notes RSS feed:

• https://docs.plesk.com/release-notes/obsidian/change-log/rss.xml

This way you can track the changelog and opt for an upgrade whenever desirable.

 

[Ladylinux]

What is the actual security issue ??

And no for security issues Plesk should do a better job of notifying owners of licenses.

Ladylinux

 

[Maarten]

I’ve shared a suggestion regarding this issue in the Plesk Suggestions and Feedback forum for Plesk to improve security notifications:

Input - Provide detailed security information and a dedicated security mailing list

When Plesk sends a notification about a “critical security update”, the only information we receive is the short message shown on the changelog. There is no CVE, no affected component, and no severity score. Looking at the inf3 files in the autoinstall directory, it’s difficult to determine...

talk.plesk.com

 

[Ladylinux]

Unbelievable

This is the actual vulnerability

https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root

https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root

No where is it even clearly shown that this affects earlier Plesk Versions and those just have clunky workarounds!!

Unacceptable Plesk!!

 

[Maarten]

Interesting. How did you find these articles?

 

[Ladylinux]

Hi,

I would edit but you only give people a few minutes to edit or delete

Unbelievable this is a ROOT level Vulnerability!!!

This is the actual vulnerability


https://support.plesk.com/hc/en-us/...s-to-execute-arbitrary-code-on-behalf-of-root

And

https://support.plesk.com/hc/en-us/articles/36261922405015--CVE-2025-66430-Security-vulnerability-in-Password-Protected-Directories-allows-Plesk-users-to-gain-root-level-access-to-a-Plesk-server

No where is it even clearly shown that this affects earlier Plesk Versions and those just have clunky workarounds!!

Unacceptable Plesk!!

 

[Ladylinux]

Interesting. How did you find these articles?

By digging around

Not how its suppose to be done by a so called professional company

Sick of excuses so disregard my tone please