cPanel has launched updates to handle three vulnerabilities in cPanel and Net Host Supervisor (WHM) that may very well be exploited to attain privilege escalation, code execution, and denial-of-service.
The checklist of vulnerabilities is as follows –
- CVE-2026-29201 (CVSS rating: 4.3) – An inadequate enter validation of the characteristic file identify within the “characteristic::LOADFEATUREFILE” adminbin name that might lead to an arbitrary file learn.
- CVE-2026-29202 (CVSS rating: 8.8) – An inadequate enter validation of the “plugin” parameter within the “create_user API” name that might lead to arbitrary Perl code execution on behalf of the already authenticated account’s system consumer.
- CVE-2026-29203 (CVSS rating: 8.8) – An unsafe symlink dealing with vulnerability that enables a consumer to switch entry permissions of an arbitrary file utilizing chmod, leading to denial-of-service or attainable privilege escalation.
The shortcomings have been patched within the following variations –
- cPanel and WHM –
- 11.136.0.9 and better
- 11.134.0.25 and better
- 11.132.0.31 and better
- 11.130.0.22 and better
- 11.126.0.58 and better
- 11.124.0.37 and better
- 11.118.0.66 and better
- 11.110.0.116 and better
- 11.110.0.117 and better
- 11.102.0.41 and better
- 11.94.0.30 and better
- 11.86.0.43 and better
- WP Squared –
cPanel has launched 110.0.114 as a direct replace for patrons who’re nonetheless on CentOS 6 or CloudLinux 6. Customers are suggested to replace to the most recent variations for optimum safety.
Whereas there is no such thing as a proof that the vulnerabilities have been exploited within the wild, the disclosure comes days after one other important flaw within the product (CVE-2026-41940) has been weaponized by menace actors as a zero-day to ship Mirai botnet variants and a ransomware pressure referred to as Sorry.
