Vulnerability

CERT-In Vulnerability Note CIVN-2026-0233
Multiple Vulnerabilities in cPanel & WHM (WP2)

Original Issue Date:May 14, 2026

Severity Rating: HIGH

Systems Affected

cPanel & WHM (Web Host Manager) versions:

prior to 11.136.0.9
prior to 11.134.0.25
prior to 11.132.0.31
prior to 11.130.0.22
prior to 11.126.0.58
prior to 11.124.0.37
prior to 11.118.0.66
prior to 11.110.0.117
prior to 11.102.0.41
prior to 11.94.0.30
prior to 11.86.0.43

WP Squared version prior to 11.136.1.11

Overview

Multiple vulnerabilities have been reported in cPanel & WHM, which could allow an attacker to read arbitrary files, execute arbitrary code, cause denial-of-service conditions, or escalate privileges on the targeted systems.

Target Audience:
Organizations and individuals using the affected cPanel & WHM-based hosting environments.

Risk Assessment:
High risk of escalate privileges, execute arbitrary code and read arbitrary files.

Impact Assessment:
Potential for read sensitive system files, remote code execution and denial-of -service conditions.

Description

cPanel & WHM is a widely used web hosting control panel that provides administrative (WHM) and user-level (cPanel) interfaces for managing servers and websites.

Multiple vulnerabilities exist in cPanel and WHM due to improper input validation in the "LOADFEATUREFILE adminbincall" feature, insufficient input validation of the "plugin" parameter in the "create_user API" and unsafe symlink handling that allows a user to change permissions on arbitrary files using chmod.

Successful exploitation of these vulnerabilities could allow an attacker to read arbitrary files, execute arbitrary code, cause denial-of-service conditions, or escalate privileges on the targeted systems.

Solution

Apply appropriate software updates as mentioned by the vendor:
https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026

https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026

https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026

Vendor Information

cPanel
https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026
https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026
https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026

References

CVE Name
CVE-2026-29201
CVE-2026-29202
CVE-2026-29203

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India