A critical flaw tracked as CVE-2026-44962 shows how a low-privilege search path in a hosting control panel can cross a hard boundary and reach the operating system.