cPanel has released security patches addressing three vulnerabilities in cPanel and Web Host Manager (WHM) that could allow attackers to read arbitrary files, execute malicious code, escalate privileges, and cause denial-of-service conditions. The fixes were included in the WP2 Security Update on May 8, 2026.
The vulnerabilities affect widely deployed cPanel and WHM installations used by hosting providers and website administrators globally.
While no active exploitation of these three flaws has been confirmed, the disclosure comes in the wake of a recently weaponized critical flaw in the same product, raising the urgency of patching.
CVE-2026-29201: Arbitrary File Read via Feature File Injection
The first vulnerability, CVE-2026-29201, carries a CVSS score of 4.3 and stems from insufficient input validation of the feature file name in the feature::LOADFEATUREFILE adminbin call.
An attacker exploiting this flaw could manipulate the input to read arbitrary files on the server, potentially exposing sensitive configuration data, credentials, or system files that could be leveraged in further attacks.
CVE-2026-29202: Arbitrary Perl Code Execution via API Parameter
The most severe of the three, CVE-2026-29202, scores 8.8 on the CVSS scale. It exists due to inadequate input validation of the plugin parameter in the create_user API call.
A successfully authenticated attacker can exploit this weakness to execute arbitrary Perl code with the account’s associated system user’s privileges.
Given that many hosting environments grant elevated system-level permissions to cPanel accounts, this vulnerability poses a significant risk of full system compromise.
CVE-2026-29203: Unsafe Symlink Handling Enables Privilege Escalation and DoS
Also scoring 8.8, CVE-2026-29203 involves unsafe symlink handling that enables a user to manipulate access permissions of arbitrary files through chmod.
This could result in denial-of-service by corrupting critical file permissions or enabling privilege escalation by granting unauthorized write access to sensitive system files.
cPanel has released fixes across multiple supported version branches. Users should update to the following versions or higher:
- cPanel and WHM: 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116/117, 11.102.0.41, 11.94.0.30, and 11.86.0.43
- WP Squared: 11.136.1.10 and higher
For customers still operating on CentOS 6 or CloudLinux 6, cPanel has issued version 110.0.114 as a direct update path.
Although no exploitation of CVE-2026-29201, CVE-2026-29202, or CVE-2026-29203 has been observed in the wild, the timing of this disclosure is notable.
Just days prior, a separate critical cPanel vulnerability, CVE-2026-41940, was actively weaponized by threat actors as a zero-day.
Attackers exploited that flaw to deliver Mirai botnet variants and deploy a ransomware strain identified as “Sorry,” underscoring that cPanel installations are an active target for threat actors.
Administrators running cPanel and WHM environments should apply the latest patches immediately and audit their systems for indicators of compromise, given the ongoing threat activity targeting this platform.
No Comment! Be the first one.