Vulnerability

CERT-In Vulnerability Note CIVN-2026-0245
Multiple Vulnerabilities in cPanel & WHM (WP2)

Original Issue Date:May 19, 2026

Severity Rating: HIGH

Systems Affected

cPanel & WHM (Web Host Manager) versions:

prior to 11.136.0.10
prior to 11.134.0.26
prior to 11.132.0.32
prior to 11.130.0.23
prior to 11.126.0.59
prior to 11.124.0.38
prior to 11.118.0.67
prior to 11.110.0.118
prior to 11.102.0.42
prior to 11.94.0.31
prior to 11.86.0.44
WP Squared version prior to 11.136.1.12

Overview

Multiple vulnerabilities have been reported in cPanel & WHM, which could allow an attacker to trigger elevation of privilege, conduct man-in-the-middle attacks, execute arbitrary code and gain unauthorized access to sensitive information on the targeted systems.

Target Audience:
Organizations and individuals using the affected cPanel & WHM-based hosting environments.

Risk Assessment:
High risk of privilege escalation, sensitive information disclosure, credential interception and compromise of affected systems.

Impact Assessment:
Potential unauthorized access to sensitive information or full system compromise.

Description

cPanel & WHM is a widely used web hosting control panel that provides administrative (WHM) and user-level (cPanel) interfaces for managing servers and websites.

Multiple vulnerabilities exist in cPanel and WHM due to improper authorization checks in team management functionality, disabled SSL certificate verification in the DNS Cluster feature, improper sanitization of HTTP query parameters and insufficient input validation mechanisms.

Successful exploitation of these vulnerabilities could allow an attacker to trigger elevation of privilege, conduct man-in-the-middle attacks, execute arbitrary code and gain unauthorized access to sensitive information on the targeted systems.

Solution

Apply appropriate software updates as mentioned by the vendor:
https://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026

https://support.cpanel.net/hc/en-us/articles/40437241987607-Security-CVE-2026-32992-cPanel-WHM-WP2-Security-Update-May-13-2026

https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026

https://support.cpanel.net/hc/en-us/articles/40437213099159-Security-CVE-2026-29206-cPanel-WHM-WP2-Security-Update-May-13-2026

https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026

Vendor Information

cPanel
https://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026
https://support.cpanel.net/hc/en-us/articles/40437241987607-Security-CVE-2026-32992-cPanel-WHM-WP2-Security-Update-May-13-2026
https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026
https://support.cpanel.net/hc/en-us/articles/40437213099159-Security-CVE-2026-29206-cPanel-WHM-WP2-Security-Update-May-13-2026
https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026

References

CVE Name
CVE-2026-32993
CVE-2026-32992
CVE-2026-32991
CVE-2026-29206
CVE-2026-29205

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India