cPanel/WHM Privilege‑Escalation, Code‑Execution & DoS Vulnerabilities (CVE‑2026‑29201) Threaten Hosting Providers
What It Is – cPanel released patches for three newly disclosed flaws in cPanel & Web Host Manager (WHM). One of them (CVE‑2026‑29201) scores 4.3 CVSS and stems from insufficient input validation in the feature::LOADFEATUREFILE admin‑bin call; the other two enable privilege escalation, remote code execution, and denial‑of‑service.
Exploitability – No public exploits have been observed yet, but the vulnerabilities are exploitable by authenticated or low‑privilege attackers on the management interface. The CVSS rating (4.3) reflects moderate severity, but the potential impact on multi‑tenant hosting environments raises the overall risk.
Affected Products – cPanel 115.0.0 and later, WHM 115.0.0 and later (all supported versions prior to the May 2026 patch).
TPRM Impact – Hosting providers, MSPs, and any third‑party services that rely on cPanel/WHM to deliver web‑hosting or SaaS platforms inherit the risk. A successful exploit could allow an attacker to gain root‑level access on a shared server, pivot to customer sites, exfiltrate data, or cause service outages, creating a supply‑chain exposure for downstream clients.
Recommended Actions –
- Deploy the May 2026 cPanel/WHM security update immediately on all managed servers.
- Verify the patch level via
cpanel -vandwhmapi1 get_version. - Review audit logs for any use of the
feature::LOADFEATUREFILEcall or abnormal process activity. - Harden access to the WHM admin interface (IP allow‑lists, MFA, rate‑limiting).
- Conduct a rapid risk assessment of any downstream customers that host critical workloads on affected instances.
Source: The Hacker News – cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now