Web hosting control panel provider cPanel has issued urgent security updates to address three critical vulnerabilities discovered in its cPanel and Web Host Manager (WHM) platforms. These critical security flaws, detailed in recent advisories, could have allowed attackers to escalate privileges, execute arbitrary code, and launch denial-of-service attacks against hosted systems.
The vulnerabilities, identified by their CVE designations, highlight ongoing security challenges within web hosting infrastructure. The disclosure underscores the importance for administrators to maintain up-to-date software to protect against potential cyber threats impacting web hosting environments.
cPanel Patches Critical Vulnerabilities Affecting Web Hosting Security
cPanel has released patches for three significant vulnerabilities affecting its widely used control panel software. These security flaws, if exploited, could compromise the integrity and availability of web hosting services managed through cPanel and WHM. The company has provided updated versions across a range of older product branches to ensure broad protection.
The most severe of these vulnerabilities, CVE-2026-29202 and CVE-2026-29203, both carry a high CVSS score of 8.8, indicating a significant risk of exploitation. These flaws could potentially allow an authenticated user to execute arbitrary Perl code on the server or gain unauthorized access to sensitive files, respectively. A third vulnerability, CVE-2026-29201, with a CVSS score of 4.3, enables arbitrary file reading, which could be used to gather information for further attacks.
Detailed Breakdown of cPanel Vulnerabilities
The first patched vulnerability, CVE-2026-29201, stems from insufficient input validation within the “feature::LOADFEATUREFILE” adminbin call. This weakness could allow an attacker to read arbitrary files on the system, potentially exposing sensitive configuration details or user data. Such information could then be leveraged in more sophisticated attacks against the web hosting infrastructure.
CVE-2026-29202 presents a more direct threat of code execution. This vulnerability arises from inadequate input validation on the “plugin” parameter in the “create_user API” call. Successful exploitation allows an authenticated user to execute arbitrary Perl code with the system privileges of the compromised account. This could lead to full server compromise and widespread data breaches.
The third identified flaw, CVE-2026-29203, involves an unsafe handling of symbolic links. This vulnerability enables a user to modify the access permissions of any file using the `chmod` command. Attackers could exploit this to achieve denial-of-service by locking critical system files or potentially escalate privileges by altering permissions on sensitive administrative or executable files, significantly impacting web hosting operations.
These security patches are available for numerous versions of cPanel and WHM, including releases as far back as version 11.86. Updates have been rolled out for 11.136, 11.134, 11.132, 11.130, 11.126, 11.124, 11.118, 11.110, 11.102, 11.94, and 11.86. A specific update, cPanel 110.0.114, has been provided for customers operating on CentOS 6 or CloudLinux 6 environments.
The rollout of these patches occurs shortly after another critical vulnerability, CVE-2026-41940, within cPanel was actively exploited in the wild. Threat actors leveraged this zero-day flaw to distribute variants of the Mirai botnet and deploy a ransomware strain known as “Sorry.” This ongoing exploitation highlights the persistent targeting of web hosting platforms by malicious actors.
While cPanel has not reported any in-the-wild exploitation of the newly disclosed vulnerabilities, the aggressive use of previous flaws underscores the imperative for immediate action. Web hosting providers and administrators are strongly urged to apply the available updates without delay to fortify their systems against these potential threats to web hosting security.