Critical cPanel and WHM Security Update: Three New Vulnerabilities Patched to Prevent File Read, Code Execution, and Privilege Escalation
- May 10
- 2 min read
Key Findings
cPanel and WHM released patches for three vulnerabilities affecting multiple versions
CVE-2026-29201 allows arbitrary file read through insufficient input validation
CVE-2026-29202 enables arbitrary Perl code execution for authenticated users
CVE-2026-29203 exploits unsafe symlink handling for denial-of-service and potential privilege escalation
No evidence of active exploitation yet, but disclosure follows recent zero-day attacks using Mirai and Sorry ransomware
Patches available across 12 different version branches with specific minimum versions required
Background
cPanel and Web Host Manager remain critical infrastructure for web hosting management. The three newly disclosed vulnerabilities highlight continuing security challenges in the platform, coming on the heels of CVE-2026-41940 which threat actors were already weaponizing in the wild to deliver botnet and ransomware payloads.
CVE-2026-29201 - Arbitrary File Read
This vulnerability carries a CVSS score of 4.3 and stems from insufficient input validation in the "feature::LOADFEATUREFILE" adminbin call. By manipulating the feature file name parameter, attackers can read arbitrary files from the system. While the lowest severity of the three, this could expose sensitive configuration files or credentials.
CVE-2026-29202 - Perl Code Execution
With a CVSS score of 8.8, this is a significant threat. The vulnerability exists in the "create_user API" call where inadequate validation of the "plugin" parameter allows authenticated users to execute arbitrary Perl code. The key detail here is that exploitation requires existing account access, but once inside, attackers can run code as the system user associated with that account.
CVE-2026-29203 - Symlink Handling and Privilege Escalation
Equally severe at 8.8 CVSS, this vulnerability exploits unsafe symlink handling to allow users to modify file permissions via chmod on arbitrary files. This could lead to denial-of-service attacks or, in certain configurations, escalate privileges to higher-level access.
Affected Versions and Patches
cPanel released patches across a wide range of versions including 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, and older branches down to 11.94.0.30 and 11.86.0.43. WP Squared users need version 11.136.1.10 or higher. For legacy CentOS 6 and CloudLinux 6 users, cPanel released version 110.0.114 as a direct update option.
Recommendation
While active exploitation hasn't been documented, the timing of these disclosures immediately after another zero-day was weaponized suggests elevated threat actor interest in cPanel vulnerabilities. Organizations should prioritize patching to their respective supported versions immediately.
Sources
https://thehackernews.com/2026/05/cpanel-whm-patch-3-new-vulnerabilities.html
https://news.backbox.org/2026/05/09/cpanel-whm-release-fixes-for-three-new-vulnerabilities-patch-now/
https://x.com/TweetThreatNews/status/2053063711879782474
https://www.threads.com/@thehackernews/post/DYHNgl6DyrG/c-panel-and-whm-patched-three-new-vulnerabilities-enabling-file-read-perl-code
https://x.com/TheHackersNews/status/2053011651478397275

Comments