top of page

Critical cPanel and WHM Security Update: Three New Vulnerabilities Patched to Prevent File Read, Code Execution, and Privilege Escalation

  • May 10
  • 2 min read

Key Findings


  • cPanel and WHM released patches for three vulnerabilities affecting multiple versions

  • CVE-2026-29201 allows arbitrary file read through insufficient input validation

  • CVE-2026-29202 enables arbitrary Perl code execution for authenticated users

  • CVE-2026-29203 exploits unsafe symlink handling for denial-of-service and potential privilege escalation

  • No evidence of active exploitation yet, but disclosure follows recent zero-day attacks using Mirai and Sorry ransomware

  • Patches available across 12 different version branches with specific minimum versions required


Background


cPanel and Web Host Manager remain critical infrastructure for web hosting management. The three newly disclosed vulnerabilities highlight continuing security challenges in the platform, coming on the heels of CVE-2026-41940 which threat actors were already weaponizing in the wild to deliver botnet and ransomware payloads.


CVE-2026-29201 - Arbitrary File Read


This vulnerability carries a CVSS score of 4.3 and stems from insufficient input validation in the "feature::LOADFEATUREFILE" adminbin call. By manipulating the feature file name parameter, attackers can read arbitrary files from the system. While the lowest severity of the three, this could expose sensitive configuration files or credentials.


CVE-2026-29202 - Perl Code Execution


With a CVSS score of 8.8, this is a significant threat. The vulnerability exists in the "create_user API" call where inadequate validation of the "plugin" parameter allows authenticated users to execute arbitrary Perl code. The key detail here is that exploitation requires existing account access, but once inside, attackers can run code as the system user associated with that account.


CVE-2026-29203 - Symlink Handling and Privilege Escalation


Equally severe at 8.8 CVSS, this vulnerability exploits unsafe symlink handling to allow users to modify file permissions via chmod on arbitrary files. This could lead to denial-of-service attacks or, in certain configurations, escalate privileges to higher-level access.


Affected Versions and Patches


cPanel released patches across a wide range of versions including 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, and older branches down to 11.94.0.30 and 11.86.0.43. WP Squared users need version 11.136.1.10 or higher. For legacy CentOS 6 and CloudLinux 6 users, cPanel released version 110.0.114 as a direct update option.


Recommendation


While active exploitation hasn't been documented, the timing of these disclosures immediately after another zero-day was weaponized suggests elevated threat actor interest in cPanel vulnerabilities. Organizations should prioritize patching to their respective supported versions immediately.


Sources


  • https://thehackernews.com/2026/05/cpanel-whm-patch-3-new-vulnerabilities.html

  • https://news.backbox.org/2026/05/09/cpanel-whm-release-fixes-for-three-new-vulnerabilities-patch-now/

  • https://x.com/TweetThreatNews/status/2053063711879782474

  • https://www.threads.com/@thehackernews/post/DYHNgl6DyrG/c-panel-and-whm-patched-three-new-vulnerabilities-enabling-file-read-perl-code

  • https://x.com/TheHackersNews/status/2053011651478397275

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page