cPanel and WHM Arbitrary Code Execution and Privilege Escalation Vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) Patched

First reported

09.05.2026 10:16

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

cPanel and WHM released updates addressing three vulnerabilities—CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203—with potential for arbitrary file read, arbitrary Perl code execution, denial-of-service, and privilege escalation. The flaws arise from insufficient input validation and unsafe symlink handling, impacting multiple versions of cPanel and WHM. Users are urged to update to patched versions immediately due to the severity and historical exploitation of similar issues.

Timeline

09.05.2026 10:16 1 articles · 2h ago

cPanel and WHM Release Patches for Privilege Escalation, Code Execution, and DoS Vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203)
cPanel and WHM released updates addressing three vulnerabilities—CVE-2026-29201 (arbitrary file read), CVE-2026-29202 (arbitrary Perl code execution), and CVE-2026-29203 (denial-of-service/privilege escalation via unsafe symlink handling). Affected versions span multiple branches, with direct patch 110.0.114 for legacy CentOS 6/CloudLinux 6 systems. While no active exploitation is reported, historical weaponization of a related flaw highlights the urgency for immediate updates.
Show sources

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now — thehackernews.com — 09.05.2026 10:16
Open in new tab

Information Snippets

CVE-2026-29201 (CVSS 4.3) allows arbitrary file read via insufficient input validation in the feature::LOADFEATUREFILE adminbin call.
First reported: 09.05.2026 10:16

1 source, 1 article
Show sources
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now — thehackernews.com — 09.05.2026 10:16
CVE-2026-29202 (CVSS 8.8) enables arbitrary Perl code execution on behalf of an authenticated system user via insufficient input validation in the create_user API call.
First reported: 09.05.2026 10:16

1 source, 1 article
Show sources
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now — thehackernews.com — 09.05.2026 10:16
CVE-2026-29203 (CVSS 8.8) allows modification of arbitrary file permissions via unsafe symlink handling, leading to denial-of-service or privilege escalation.
First reported: 09.05.2026 10:16

1 source, 1 article
Show sources
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now — thehackernews.com — 09.05.2026 10:16
Patched versions include cPanel & WHM 11.136.0.9+, 11.134.0.25+, 11.132.0.31+, 11.130.0.22+, 11.126.0.58+, 11.124.0.37+, 11.118.0.66+, 11.110.0.116+, 11.110.0.117+, 11.102.0.41+, 11.94.0.30+, and 11.86.0.43+. WP Squared is patched at 11.136.1.10+.
First reported: 09.05.2026 10:16

1 source, 1 article
Show sources
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now — thehackernews.com — 09.05.2026 10:16
Direct update 110.0.114 is available for systems on CentOS 6 or CloudLinux 6.
First reported: 09.05.2026 10:16

1 source, 1 article
Show sources
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now — thehackernews.com — 09.05.2026 10:16
No evidence of exploitation in the wild has been reported, though recent weaponization of a related zero-day (CVE-2026-41940) delivered Mirai botnet variants and a ransomware strain named Sorry.
First reported: 09.05.2026 10:16

1 source, 1 article
Show sources
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now — thehackernews.com — 09.05.2026 10:16

Summary

Timeline

cPanel and WHM Release Patches for Privilege Escalation, Code Execution, and DoS Vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203)

Information Snippets