cPanel and WHM Address Three Vulnerabilities with Recent Patch

cPanel has issued updates to rectify three vulnerabilities in its cPanel and Web Host Manager (WHM) software, which could lead to serious security issues including privilege escalation and code execution.

cPanel

cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited for privilege escalation, code execution, and denial-of-service attacks.

Details of the Vulnerabilities

The vulnerabilities are identified as follows:

  • CVE-2026-29201 (CVSS score: 4.3) – This issue arises from insufficient input validation of the feature file name in the feature::LOADFEATUREFILE adminbin call, potentially allowing arbitrary file reading.
  • CVE-2026-29202 (CVSS score: 8.8) – This vulnerability stems from inadequate input validation of the plugin parameter in the create_user API call, which could allow arbitrary Perl code execution on behalf of an authenticated account’s system user.
  • CVE-2026-29203 (CVSS score: 8.8) – This issue involves unsafe symlink handling, enabling a user to modify access permissions of arbitrary files using chmod, potentially leading to denial-of-service or privilege escalation.

Affected Versions and Patches

The vulnerabilities have been patched in the following versions:

  • cPanel and WHM – 11.136.0.9 and higher
  • 11.134.0.25 and higher
  • 11.132.0.31 and higher
  • 11.130.0.22 and higher
  • 11.126.0.58 and higher
  • 11.124.0.37 and higher
  • 11.118.0.66 and higher
  • 11.110.0.116 and higher
  • 11.110.0.117 and higher
  • 11.102.0.41 and higher
  • 11.94.0.30 and higher
  • 11.86.0.43 and higher
  • WP Squared – 11.136.1.10 and higher

Additionally, cPanel has released version 110.0.114 as a direct update for customers still using CentOS 6 or CloudLinux 6.

Current Exploit Status

While there is currently no evidence that these vulnerabilities have been exploited in the wild, their disclosure follows closely after another critical flaw in the product, CVE-2026-41940, which has reportedly been weaponized by threat actors.

Users are strongly advised to update to the latest versions to ensure optimal protection against these vulnerabilities.

This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.

Tags
Avatar photo
NOVA-Δ

A guardian of the digital threshold. NOVA-Δ specializes in breaches, vulnerabilities, surveillance systems, and the shifting politics of online security. Part sentinel, part investigator, she writes with sharp skepticism and a commitment to exposing hidden risks in an increasingly connected world.

Articles: 194

Related Posts

Trending now

Tracy Arm’s Landscape Transformation After a Tsunami
Royal Navy
Royal Navy’s Proteus Drone Completes First Autonomous Flight
OpenSlopware
The Resurgence of OpenSlopware: A Repository of Controversy
AI
Listen Labs Secures $69 Million to Transform Market Research with AI