--- title: "cPanel and WHM Patch High Severity Security Vulnerabilities" date: 2026-05-11 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/05/cpanel-and-whm-patch-high-severity-security-vulnerabilities.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # cPanel and WHM Patch High Severity Security Vulnerabilities cPanel has released urgent security updates to fix three newly discovered vulnerabilities that could expose hosting servers to code execution, file access, and denial of service attacks. ## Quick Summary – TLDR: - cPanel and WHM fixed three security flaws affecting hosting servers and administrative environments. - One vulnerability could allow arbitrary Perl code execution on affected systems. - Another flaw could expose sensitive files and server data through improper input validation. - Users and hosting providers are strongly advised to install the latest patches immediately. ## What Happened? cPanel has published emergency security updates for **cPanel and Web Host Manager (WHM)** after researchers disclosed three vulnerabilities affecting multiple supported versions of the platform. The flaws impact hosting providers, server administrators, and businesses that rely on **cPanel** to manage websites, databases, and server infrastructure. The vulnerabilities could allow attackers to read arbitrary files, execute malicious code, and potentially escalate privileges on vulnerable systems. While there is currently no confirmed evidence of active exploitation, security experts warn that these flaws present a serious risk because of cPanel’s massive presence across the web hosting industry. > cpanel patched 3 bugs on May 8: CVE-2026-29201 (arbitrary file read), CVE-2026-29202 (perl code injection), CVE-2026-29203 (DoS). > > if you operate shared hosting, WHM is on every box. patch and audit Perl handlers.[\#cPanel](https://twitter.com/hashtag/cPanel?src=hash&ref_src=twsrc%5Etfw) > > — Tre B (@trerbbb) [May 10, 2026](https://twitter.com/trerbbb/status/2053505349039079839?ref_src=twsrc%5Etfw) ## Critical Vulnerability Could Allow Arbitrary Code Execution The most severe issue tracked as **CVE-2026-29202** carries a CVSS severity score of **8.8**. The flaw exists in the **create\_user API** because of insufficient validation of the **plugin** parameter. According to the advisory, an authenticated attacker could abuse this weakness to execute arbitrary Perl code on the server using the privileges of the compromised account. Researchers say successful exploitation may allow attackers to gain deeper access into hosting environments and potentially compromise hosted websites and sensitive customer information. Security experts noted that code execution vulnerabilities in cPanel are especially dangerous because the platform is commonly used to manage large numbers of websites from a single server. ## File Read Vulnerability Could Expose Sensitive Data Another vulnerability identified as **CVE-2026-29201** has a CVSS score of **4.3** and affects the **feature::LOADFEATUREFILE** adminbin call. The issue stems from improper validation of user supplied feature file names. Attackers could reportedly manipulate the request using relative file paths to read arbitrary files stored on the server. This may expose sensitive system information including: - **Configuration files** - **Database credentials** - **Internal server data** - **User account information** Researchers warned that even moderate severity file disclosure vulnerabilities can become extremely dangerous when combined with other attack methods. ## Symlink Flaw Could Trigger Denial of Service Attacks The third vulnerability tracked as **CVE-2026-29203** also received a CVSS score of **8.8**. The flaw involves unsafe symlink handling that could allow users to change file permissions using **chmod** on arbitrary files. Attackers may exploit the issue to disrupt server operations and create denial of service conditions. Researchers also warned the flaw could potentially be chained with other weaknesses to achieve privilege escalation on affected systems. ## Patched Versions Released Across Multiple Branches cPanel confirmed that patches are now available across multiple supported release branches. The vulnerabilities have been fixed in: - **11.136.0.9 and later** - **11.134.0.25 and later** - **11.132.0.31 and later** - **11.130.0.22 and later** - **Additional supported legacy versions** Updates have also been released for **WP Squared** environments and older systems still running **CentOS 6** or **CloudLinux 6**. Administrators can manually force updates using the command: `/scripts/upcp --force` Users can then verify the installed version using: `/usr/local/cpanel/cpanel -V` ## Security Concerns Grow After Recent cPanel Zero Day Exploitation The disclosure comes shortly after another critical cPanel vulnerability identified as **CVE-2026-41940** was reportedly exploited in zero day attacks linked to **Mirai botnet variants** and [ransomware activity](https://sqmagazine.co.uk/ransomware-statistics/). Researchers at **watchTowr** recently released a detection tool to help organizations identify exposed hosts. Meanwhile, the **U.S. Cybersecurity and Infrastructure Security Agency** added the flaw to its **Known Exploited Vulnerabilities catalog** because of active attacks observed in the wild. Security experts believe the latest vulnerabilities could quickly attract threat actors due to cPanel’s popularity in the hosting industry. ## SQ Magazine Takeaway I think this is another reminder that hosting infrastructure remains one of the biggest targets for attackers. cPanel powers a huge portion of the internet, which means even a single critical flaw can create widespread security risks very quickly. The [recent wave of cPanel vulnerabilities](https://sqmagazine.co.uk/cpanel-login-bypass-critical-vulnerability/) also shows how aggressively threat actors move once public disclosures appear. If administrators delay patching, attackers usually do not wait.