New cPanel vulnerabilities could allow file access and remote code execution
New cPanel vulnerabilities could allow file access and remote code execution
Publish Date: 2026-05-10 12:07:00
Source Domain: securityaffairs.com
New cPanel vulnerabilities could allow file access and remote code execution
Pierluigi Paganini
May 10, 2026
cPanel fixed three flaws that could allow file reads, code execution, and privilege escalation. No active exploitation has been reported yet.
cPanel has released security updates to fix three vulnerabilities affecting cPanel & WHM that could allow attackers to read files, execute code, or escalate privileges on vulnerable systems.
Below are the descriptions for these flaws:
- CVE-2026-29201 (CVSS score of 4.3): an input validation issue in the feature::LOADFEATUREFILE adminbin call that could let attackers read arbitrary files on the server.
- CVE-2026-29202 (CVSS score of 8.8): a critical flaw in the create_user API caused by improper validation of the plugin parameter. An authenticated attacker could exploit it to execute arbitrary Perl code with the privileges of the affected account.
- CVE-2026-29203 (CVSS score of 8.8): an unsafe symlink handling vulnerability that could allow a user to change permissions on arbitrary files using chmod, potentially leading to denial-of-service conditions or privilege escalation.
The issues have been patched across multiple supported cPanel & WHM releases, including versions 11.136.0.9, 11.134.0.25, 11.132.0.31, and newer builds. Updates were also released for WP Squared and legacy CentOS 6 / CloudLinux 6 systems.
Although there is currently no evidence of active exploitation, the disclosure comes shortly after threat actors weaponized another critical cPanel flaw, tracked as CVE-2026-41940, as a zero-day to deploy Mirai botnet variants.
Users should install the latest available versions as soon as possible.
Recently the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Defender, tracked as CVE-2026-41940 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV)…
