Posted in

cPanel Patches Three Security Flaws Affecting WHM Users

by admin0

cPanel has released security updates to fix three vulnerabilities affecting both cPanel and Web Host Manager (WHM), including flaws that could potentially lead to privilege escalation, arbitrary code execution, and denial-of-service (DoS) attacks.

The vulnerabilities impact multiple supported versions of the hosting management platform and administrators are being urged to apply updates immediately.

Vulnerabilities Fixed by cPanel

The newly disclosed security flaws are tracked as:

CVE-2026-29201 — Arbitrary File Read

  • CVSS Score: 4.3
  • The vulnerability stems from insufficient input validation in the feature::LOADFEATUREFILE adminbin call.
  • An attacker could exploit the flaw to perform arbitrary file reads.

CVE-2026-29202 — Arbitrary Perl Code Execution

  • CVSS Score: 8.8
  • This high-severity issue affects the plugin parameter in the create_user API call.
  • Successful exploitation could allow arbitrary Perl code execution under the context of an already authenticated account’s system user.

CVE-2026-29203 — Unsafe Symlink Handling

  • CVSS Score: 8.8
  • The flaw involves unsafe symlink handling mechanisms.
  • Attackers may be able to modify file permissions using chmod, potentially causing denial-of-service conditions or even privilege escalation.

Patched Versions

The vulnerabilities have been fixed in the following versions of cPanel and WHM:

  • 11.136.0.9 and later
  • 11.134.0.25 and later
  • 11.132.0.31 and later
  • 11.130.0.22 and later
  • 11.126.0.58 and later
  • 11.124.0.37 and later
  • 11.118.0.66 and later
  • 11.110.0.116 and later
  • 11.110.0.117 and later
  • 11.102.0.41 and later
  • 11.94.0.30 and later
  • 11.86.0.43 and later

For WP Squared, the issues have been addressed in:

  • 11.136.1.10 and later

Additionally, cPanel has released version 110.0.114 as a direct update for customers still running older operating systems such as CentOS 6 and CloudLinux 6.

No Active Exploitation Detected Yet

At this time, there is no evidence suggesting that the vulnerabilities are being actively exploited in real-world attacks.

However, the disclosure comes shortly after another critical cPanel vulnerability, tracked as CVE-2026-41940, was reportedly exploited as a zero-day by threat actors. That flaw was used to deploy variants of the Mirai botnet as well as a ransomware strain known as “Sorry.”

Administrators Urged to Update Immediately

Given the severity of the vulnerabilities — particularly the two flaws rated 8.8 on the CVSS scale — system administrators and hosting providers are strongly advised to update their cPanel and WHM installations as soon as possible.

Keeping hosting infrastructure fully patched remains critical as attackers continue targeting web hosting environments to gain unauthorized access, spread malware, and disrupt online services.

Leave a Reply

Your email address will not be published. Required fields are marked *