New cPanel vulnerabilities could allow file access and remote code execution
May 10, 2026 
cPanel fixed three flaws that could allow file reads, code execution, and privilege escalation. No active exploitation has been reported yet.
cPanel has released security updates to fix three vulnerabilities affecting cPanel & WHM that could allow attackers to read files, execute code, or escalate privileges on vulnerable systems.
Below are the descriptions for these flaws:
- CVE-2026-29201 (CVSS score of 4.3): an input validation issue in the
feature::LOADFEATUREFILEadminbin call that could let attackers read arbitrary files on the server. - CVE-2026-29202 (CVSS score of 8.8): a critical flaw in the
create_user APIcaused by improper validation of thepluginparameter. An authenticated attacker could exploit it to execute arbitrary Perl code with the privileges of the affected account. - CVE-2026-29203 (CVSS score of 8.8): an unsafe symlink handling vulnerability that could allow a user to change permissions on arbitrary files using
chmod, potentially leading to denial-of-service conditions or privilege escalation.
The issues have been patched across multiple supported cPanel & WHM releases, including versions 11.136.0.9, 11.134.0.25, 11.132.0.31, and newer builds. Updates were also released for WP Squared and legacy CentOS 6 / CloudLinux 6 systems.
Although there is currently no evidence of active exploitation, the disclosure comes shortly after threat actors weaponized another critical cPanel flaw, tracked as CVE-2026-41940, as a zero-day to deploy Mirai botnet variants.
Users should install the latest available versions as soon as possible.
Recently the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Defender, tracked as CVE-2026-41940 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.
Cybersecurity experts at watchTowr first disclosed the flaw earlier this week and released a tool to help defenders identify vulnerable hosts in their estates.
“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”
CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.
According to the Shadowserver Foundation, thousands of instances may be exposed.
cPanel and watchTowr released tools to detect compromise and vulnerable hosts. Exploits date back to February. Namecheap warned customers of temporary access limits to mitigate risk.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CVE-2026-29201, CVE-2026-29202, CVE-2026-29203)
