Overview On May 9, 2026, cPanel released urgent updates for cPanel and Web Host Manager (WHM) to fix three vulnerabilities that could lead to privilege escalation, arbitrary code execution, and denial‑of‑service. Administrators are strongly advised to patch immediately to prevent exploitation.
Vulnerability Breakdown
- CVE‑2026‑29201 (CVSS 4.3)
- Insufficient input validation in
feature::LOADFEATUREFILEadminbin call. - Risk: arbitrary file read.
- Insufficient input validation in
- CVE‑2026‑29202 (CVSS 8.8)
- Insufficient input validation of the
pluginparameter in thecreate_user API. - Risk: arbitrary Perl code execution under authenticated system user.
- Insufficient input validation of the
- CVE‑2026‑29203 (CVSS 8.8)
- Unsafe symlink handling vulnerability.
- Risk: modify file access permissions via
chmod, leading to DoS or privilege escalation.
Patch Versions
The vulnerabilities are fixed in the following releases:
- cPanel & WHM:
- 11.136.0.9+, 11.134.0.25+, 11.132.0.31+, 11.130.0.22+, 11.126.0.58+, 11.124.0.37+, 11.118.0.66+, 11.110.0.116+, 11.110.0.117+, 11.102.0.41+, 11.94.0.30+, 11.86.0.43+.
- WP Squared: 11.136.1.10+.
- Legacy Support: 110.0.114 for CentOS 6 / CloudLinux 6 users.
Context
- No evidence of exploitation yet.
- Disclosure follows closely after CVE‑2026‑41940, a critical cPanel flaw weaponized as a zero‑day to deliver Mirai botnet variants and the Sorry ransomware.
Defensive Guidance
- Update immediately to patched versions.
- Audit logs for suspicious activity, especially privilege escalation attempts.
- Harden symlink handling and input validation in custom scripts.
- Monitor for indicators of compromise tied to Mirai or ransomware payloads.
Final Thought
cPanel and WHM remain high‑value targets due to their widespread use in hosting environments. With one recent flaw already exploited in the wild, administrators cannot afford delay. The lesson is clear: patch cycles must be immediate, not scheduled, when privilege escalation and code execution are at stake.
Leave a Reply