cPanel and WebHost Manager (WHM) are critical administrative control panels used by hosting providers globally to manage servers, websites, and databases.
Due to their widespread deployment, vulnerabilities in these platforms immediately become high-value targets for threat actors. On May 8, 2026, researchers disclosed three severe security flaws impacting cPanel, WHM, and the WP Squared platform.
These vulnerabilities expose hosting environments to arbitrary code execution, sensitive file exposure, and denial-of-service (DoS) conditions. The vendor has released emergency patches, and system administrators must urgently update their infrastructure to prevent exploitation.
New cPanel and WHM Vulnerabilities
The most severe of the disclosed flaws, CVE-2026-29202, involves a critical Perl code-injection vulnerability. This flaw originates within the create_user API call and is specifically tied to the manipulation of the plugin parameter.
If successfully exploited, this vulnerability allows attackers to inject and execute malicious Perl scripts directly on the underlying server. This type of compromise grants threat actors deep administrative access to the hosting environment, putting all hosted websites, customer data, and backend configurations at severe risk.
A secondary significant vulnerability, identified as CVE-2026-29201, exposes servers to arbitrary file reads. This security gap was discovered in the feature::LOADFEATUREFILE adminbin call, which fails to validate the user-provided feature file name adequately.
Because a relative path can be passed as an argument to this administrative call, attackers can manipulate the request to make any arbitrary file on the server world-readable. This creates a dangerous avenue for unauthorized actors to extract sensitive system configuration files, database credentials, and proprietary user data.
The third security flaw, CVE-2026-29203, stems from an unsafe handling of symlinks. This structural vulnerability permits a local user to execute a chmod command on arbitrary files.
By manipulating file permissions through maliciously crafted symlinks, an attacker can intentionally break system operations to initiate a denial-of-service attack against the server. Furthermore, researchers warn that this manipulation could potentially be chained to achieve local privilege escalation.
Patched Versions and System Updates
The software vendor has rolled out comprehensive security patches across multiple release branches to mitigate these threats. System administrators utilizing cPanel and WHM must verify their environments are updated to version 11.136.0.9 or higher.
For infrastructure operating on older software tracks, the security team has deployed backported patches for versions 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, and 11.124.0.37.
Furthermore, legacy branches have received critical updates starting from releases 11.118.0.66, 11.110.0.116, 11.110.0.117, 11.102.0.41, 11.94.0.30, and 11.86.0.43.
Environments running the WP Squared platform are equally affected by these vulnerabilities and must be updated to version 11.136.1.10 or higher. The vendor has also made a special provision for hosting providers still maintaining CentOS 6 or CloudLinux 6 architecture.
These legacy users receive a direct update mechanism to version 110.0.114 to secure their outdated operating systems against these specific CVEs.
Security teams and system administrators should manually force a system update to ensure these patches are applied immediately.
Administrators can initiate the upgrade directly from the server command line by executing the /scripts/upcp –force command. After installation, verify that the patched version is running by executing /usr/local/cpanel/cpanel -V to check the current build number.
For legacy CentOS 6 or CloudLinux 6 deployments, administrators must first configure the appropriate upgrade tier before applying the patch.
This requires modifying the update configuration file using a stream editor command to change the CPANEL variable to cl6110.
Once this specific tier is set, administrators can proceed with the standard force-update command to secure their servers against potential exploitation by threat actors.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
