Cybersecurity

cPanel & WHM Hit with Triple Vulnerability Disclosure — Arbitrary Code Execution and Privilege Escalation

Summary

cPanel released emergency patches on May 8 for three newly disclosed vulnerabilities in cPanel and Web Host Manager (WHM), the control panel software that powers millions of web hosting environments worldwide. The flaws range from arbitrary file read to full remote code execution and privilege escalation.

The most severe issues, CVE-2026-29202 and CVE-2026-29203, both carry CVSS scores of 8.8. CVE-2026-29202 exploits insufficient input validation in the create_user API call, allowing an authenticated user to execute arbitrary Perl code on the server. CVE-2026-29203 abuses unsafe symlink handling to modify permissions on arbitrary files via chmod, opening the door to privilege escalation or denial-of-service. The third flaw, CVE-2026-29201 (CVSS 4.3), permits arbitrary file reads through path traversal in the LOADFEATUREFILE adminbin call.

The timing is particularly concerning as these disclosures arrive on the heels of CVE-2026-41940, a critical authentication bypass (CVSS 9.8) in cPanel that has been actively exploited in the wild via the “cPanelSniper” exploit tool, enabling unauthenticated root access on vulnerable servers.

Source

Official cPanel security advisories: CVE-2026-29201, CVE-2026-29202, CVE-2026-29203 | The Hacker News coverage

Commentary

cPanel remains one of the most ubiquitous pieces of infrastructure on the internet, and that ubiquity makes every vulnerability a high-stakes event. Two of these three flaws allow code execution or privilege escalation from an already-authenticated session — meaning a compromised reseller or hosting customer account can be weaponized to pivot to full server control.

Combined with the still-being-exploited cPanelSniper campaign against CVE-2026-41940, hosting providers are facing a compounding threat. If you run cPanel, the advice is simple: run /scripts/upcp immediately and verify you are on 11.136.0.9+, 11.134.0.25+, or 11.132.0.31+. Do not wait for automatic updates.

Related Posts

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by