cPanel has released updates that address three vulnerabilities in cPanel and Web Host Manager (WHM). These vulnerabilities can be exploited to achieve privilege escalation, code execution, and denial of service.
Here is the list of vulnerabilities:
CVE-2026-29201 (CVSS score: 4.3) – Insufficient input validation of the feature file name in the “feature::LOADFEATUREFILE” admin bin call allows arbitrary files to be read. CVE-2026-29202 (CVSS score: 8.8) – Insufficient input validation of the “plugin” parameter in the “create_user API” call may lead to arbitrary Perl code execution on behalf of a system user for an authenticated account. CVE-2026-29203 (CVSS Score: 8.8) – Insecure symbolic link handling vulnerability allows users to change permissions on arbitrary files using chmod, potentially resulting in a denial of service or privilege escalation.
The shortcomings have been fixed in the following versions –
cPanel and WHM – 11.136.0.9 and later 11.134.0.25 and later 11.132.0.31 and later 11.130.0.22 and later 11.126.0.58 and later 11.124.0.37 and later 11.118.0.66 and later 11.110.0.116 11.110.0.117 or later 11.102.0.41 or later 11.94.0.30 or later 11.86.0.43 or later WP Squared –
cPanel has released 110.0.114 as a direct update for customers still using CentOS 6 or CloudLinux 6. We recommend updating to the latest version for optimal protection.
Although there is no evidence that this vulnerability has been exploited, this disclosure comes days after another critical flaw in the product (CVE-2026-41940) was weaponized by attackers in a zero-day attack to distribute variants of the Mirai botnet and ransomware called Sorry.
Source link
