LiteSpeed User-End cPanel Plugin root script execution security flaw (CVE-2026-48172)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-48172 in the LiteSpeed User-End cPanel Plugin is now actively exploited, creating root-level arbitrary script execution risk for exposed cPanel systems. The flaw is an incorrect privilege assignment issue affecting plugin versions 2.3 through 2.4.4, and LiteSpeed fixed it in 2.4.5. Operators should treat affected servers as urgent patch candidates and investigate the published lsws.redisAble indicator of compromise.
Related Happenings
CISA KEV order for FCEB agencies on LiteSpeed cPanel flaw
Public Sector Action
H score36
First: 16.06.2026 13:47
Last: 16.06.2026 13:47
Sources 1
How related:
On Monday, CISA also added that the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems within three days, as required by Binding Operational Directive (BOD) 26-04.
About this happening:
**CISA** added the **LiteSpeed cPanel user-end plugin** flaw to **KEV** and ordered **Federal Civilian Executive Branch agencies** to secure systems within **three days** under **...
CISA KEV order for FCEB agencies on LiteSpeed cPanel flaw
Public Sector ActionHow related: On Monday, CISA also added that the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems within three days, as required by Binding Operational Directive (BOD) 26-04.
About this happening: **CISA** added the **LiteSpeed cPanel user-end plugin** flaw to **KEV** and ordered **Federal Civilian Executive Branch agencies** to secure systems within **three days** under **...
CISA KEV mitigation for LiteSpeed cPanel Plugin (CVE-2026-54420)
Advisory/Mitigation
H score38
First: 16.06.2026 08:41
Last: 16.06.2026 08:41
Sources 1
How related:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. government agencies three days to secure their servers against an actively exploited vulnerability (CVE-2026-54420) in the LiteSpeed cPanel user-end plugin.
About this happening:
CISA put **CVE-2026-54420** in **LiteSpeed cPanel Plugin** on the **KEV catalog**, ordering **FCEB agencies** to apply fixes by **June 18, 2026**. The flaw is a **CVSS 8.5 privile...
CISA KEV mitigation for LiteSpeed cPanel Plugin (CVE-2026-54420)
Advisory/MitigationHow related: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. government agencies three days to secure their servers against an actively exploited vulnerability (CVE-2026-54420) in the LiteSpeed cPanel user-end plugin.
About this happening: CISA put **CVE-2026-54420** in **LiteSpeed cPanel Plugin** on the **KEV catalog**, ordering **FCEB agencies** to apply fixes by **June 18, 2026**. The flaw is a **CVSS 8.5 privile...
CPanel CVE-2026-41940 mitigation guidance
Advisory/Mitigation
H score89
First: 30.04.2026 14:40
Last: 30.04.2026 14:40
Sources 1
About this happening:
cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposur...
CPanel CVE-2026-41940 mitigation guidance
Advisory/MitigationAbout this happening: cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposur...
Linux distributions mitigation advisories for CVE-2026-31431
Advisory/Mitigation
H score39
First: 30.04.2026 12:24
Last: 30.04.2026 12:24
Sources 1
About this happening:
Multiple **Linux distributions** released advisories for **CVE-2026-31431**, adding mitigation guidance for a **Linux kernel local privilege escalation** that can let an unprivile...
Linux distributions mitigation advisories for CVE-2026-31431
Advisory/MitigationAbout this happening: Multiple **Linux distributions** released advisories for **CVE-2026-31431**, adding mitigation guidance for a **Linux kernel local privilege escalation** that can let an unprivile...
CPanel and WHM authentication bypass (CVE-2026-41940)
Vulnerability
H score89
First: 29.04.2026 12:37
Last: 29.04.2026 12:37
Sources 1
About this happening:
**cPanel and WHM** are affected by **CVE-2026-41940**, an **authentication bypass** in the login flow that can let **unauthenticated remote attackers** gain control-panel access....
CPanel and WHM authentication bypass (CVE-2026-41940)
VulnerabilityAbout this happening: **cPanel and WHM** are affected by **CVE-2026-41940**, an **authentication bypass** in the login flow that can let **unauthenticated remote attackers** gain control-panel access....
Timeline
-
23.05.2026 10:35 4 articles · 1mo ago
LiteSpeed discloses active exploitation of CVE-2026-48172
Initial DisclosureLiteSpeed User-End cPanel Plugin CVE-2026-48172 is being actively exploited in the wild. The incorrect privilege assignment flaw lets a cPanel user, including an attacker or compromised account, abuse the lsws.redisAble function to execute arbitrary scripts as root on affected systems. The vulnerable range is plugin versions 2.3 through 2.4.4, the issue is fixed in 2.4.5, and LiteSpeed also released cPanel plugin 2.4.7 bundled with WHM plugin 5.3.1.0 after patching additional potential attack vectors in both plugins. LiteSpeed published a grep check for cpanel_jsonapi_func=redisAble, and security researcher David Strydom is credited with discovering and reporting the flaw.
Show sources
- LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root — thehackernews.com — 23.05.2026 10:35
- LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root — thehackernews.com — 23.05.2026 10:35
- CISA gives feds 4 days to patch actively exploited cPanel plugin flaw — www.bleepingcomputer.com — 27.05.2026 13:06
- CISA warns of another cPanel plugin flaw exploited in attacks — www.bleepingcomputer.com — 16.06.2026 13:47