cPanel has released urgent security updates to fix three newly discovered vulnerabilities that could expose hosting servers to code execution, file access, and denial of service attacks.
Quick Summary – TLDR:
- cPanel and WHM fixed three security flaws affecting hosting servers and administrative environments.
- One vulnerability could allow arbitrary Perl code execution on affected systems.
- Another flaw could expose sensitive files and server data through improper input validation.
- Users and hosting providers are strongly advised to install the latest patches immediately.
What Happened?
cPanel has published emergency security updates for cPanel and Web Host Manager (WHM) after researchers disclosed three vulnerabilities affecting multiple supported versions of the platform. The flaws impact hosting providers, server administrators, and businesses that rely on cPanel to manage websites, databases, and server infrastructure.
The vulnerabilities could allow attackers to read arbitrary files, execute malicious code, and potentially escalate privileges on vulnerable systems. While there is currently no confirmed evidence of active exploitation, security experts warn that these flaws present a serious risk because of cPanel’s massive presence across the web hosting industry.
cpanel patched 3 bugs on May 8: CVE-2026-29201 (arbitrary file read), CVE-2026-29202 (perl code injection), CVE-2026-29203 (DoS).
— Tre B (@trerbbb) May 10, 2026
if you operate shared hosting, WHM is on every box. patch and audit Perl handlers.#cPanel
Critical Vulnerability Could Allow Arbitrary Code Execution
The most severe issue tracked as CVE-2026-29202 carries a CVSS severity score of 8.8. The flaw exists in the create_user API because of insufficient validation of the plugin parameter.
According to the advisory, an authenticated attacker could abuse this weakness to execute arbitrary Perl code on the server using the privileges of the compromised account. Researchers say successful exploitation may allow attackers to gain deeper access into hosting environments and potentially compromise hosted websites and sensitive customer information.
Security experts noted that code execution vulnerabilities in cPanel are especially dangerous because the platform is commonly used to manage large numbers of websites from a single server.
File Read Vulnerability Could Expose Sensitive Data
Another vulnerability identified as CVE-2026-29201 has a CVSS score of 4.3 and affects the feature::LOADFEATUREFILE adminbin call.
The issue stems from improper validation of user supplied feature file names. Attackers could reportedly manipulate the request using relative file paths to read arbitrary files stored on the server.
This may expose sensitive system information including:
- Configuration files
- Database credentials
- Internal server data
- User account information
Researchers warned that even moderate severity file disclosure vulnerabilities can become extremely dangerous when combined with other attack methods.
Symlink Flaw Could Trigger Denial of Service Attacks
The third vulnerability tracked as CVE-2026-29203 also received a CVSS score of 8.8. The flaw involves unsafe symlink handling that could allow users to change file permissions using chmod on arbitrary files.
Attackers may exploit the issue to disrupt server operations and create denial of service conditions. Researchers also warned the flaw could potentially be chained with other weaknesses to achieve privilege escalation on affected systems.
Patched Versions Released Across Multiple Branches
cPanel confirmed that patches are now available across multiple supported release branches.
The vulnerabilities have been fixed in:
- 11.136.0.9 and later
- 11.134.0.25 and later
- 11.132.0.31 and later
- 11.130.0.22 and later
- Additional supported legacy versions
Updates have also been released for WP Squared environments and older systems still running CentOS 6 or CloudLinux 6.
Administrators can manually force updates using the command:
/scripts/upcp --force
Users can then verify the installed version using:
/usr/local/cpanel/cpanel -V
Security Concerns Grow After Recent cPanel Zero Day Exploitation
The disclosure comes shortly after another critical cPanel vulnerability identified as CVE-2026-41940 was reportedly exploited in zero day attacks linked to Mirai botnet variants and ransomware activity.
Researchers at watchTowr recently released a detection tool to help organizations identify exposed hosts. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog because of active attacks observed in the wild.
Security experts believe the latest vulnerabilities could quickly attract threat actors due to cPanel’s popularity in the hosting industry.
SQ Magazine Takeaway
I think this is another reminder that hosting infrastructure remains one of the biggest targets for attackers. cPanel powers a huge portion of the internet, which means even a single critical flaw can create widespread security risks very quickly. The recent wave of cPanel vulnerabilities also shows how aggressively threat actors move once public disclosures appear. If administrators delay patching, attackers usually do not wait.
