cPanel, WHM Launch Fixes for Three New Vulnerabilities — Patch Now

Ravie LakshmananMight 09, 2026Vulnerability / Net Internet hosting

cPanel has launched updates to handle three vulnerabilities in cPanel and Net Host Supervisor (WHM) that may very well be exploited to attain privilege escalation, code execution, and denial-of-service.

The checklist of vulnerabilities is as follows –

• CVE-2026-29201 (CVSS rating: 4.3) – An inadequate enter validation of the characteristic file identify within the “characteristic::LOADFEATUREFILE” adminbin name that might lead to an arbitrary file learn.
• CVE-2026-29202 (CVSS rating: 8.8) – An inadequate enter validation of the “plugin” parameter within the “create_user API” name that might lead to arbitrary Perl code execution on behalf of the already authenticated account’s system consumer.
• CVE-2026-29203 (CVSS rating: 8.8) – An unsafe symlink dealing with vulnerability that enables a consumer to switch entry permissions of an arbitrary file utilizing chmod, leading to denial-of-service or attainable privilege escalation.

The shortcomings have been patched within the following variations –

• cPanel and WHM –
  • 11.136.0.9 and better
  • 11.134.0.25 and better
  • 11.132.0.31 and better
  • 11.130.0.22 and better
  • 11.126.0.58 and better
  • 11.124.0.37 and better
  • 11.118.0.66 and better
  • 11.110.0.116 and better
  • 11.110.0.117 and better
  • 11.102.0.41 and better
  • 11.94.0.30 and better
  • 11.86.0.43 and better
• WP Squared –

cPanel has launched 110.0.114 as a direct replace for patrons who’re nonetheless on CentOS 6 or CloudLinux 6. Customers are suggested to replace to the most recent variations for optimum safety.

Whereas there is no such thing as a proof that the vulnerabilities have been exploited within the wild, the disclosure comes days after one other important flaw within the product (CVE-2026-41940) has been weaponized by menace actors as a zero-day to ship Mirai botnet variants and a ransomware pressure referred to as Sorry.