HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical RCE in LiteSpeed cPanel Plugin (CVE-2026-48172) Enables Root Script Execution

A CVSS 10.0 vulnerability (CVE‑2026‑48172) in LiteSpeed's cPanel plugin allows any authenticated user to run arbitrary scripts as root. Active exploits are observed in the wild, posing a severe supply‑chain risk for organizations relying on third‑party hosting that uses this stack.

LiveThreat™ Intelligence · 📅 May 23, 2026· 📰 thehackernews.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
thehackernews.com

LiteSpeed cPanel Plugin (CVE‑2026‑48172) Remote Code Execution Enables Root Script Execution

What It Is – A critical privilege‑escalation flaw in the LiteSpeed User‑End cPanel plugin allows any authenticated cPanel user, or a compromised account, to execute arbitrary scripts with root privileges. The vulnerability is tracked as CVE‑2026‑48172 and carries a CVSS v3.1 base score of 10.0.

Exploitability – Public exploit code has been observed in the wild; threat actors are actively leveraging the bug to gain full system control on vulnerable hosting environments. No vendor‑issued patch is available at the time of writing.

Affected Products – LiteSpeed Web Server + User‑End cPanel Plugin (versions prior to the undisclosed fix) deployed on shared‑hosting or managed‑hosting platforms that use cPanel.

TPRM Impact – The flaw creates a direct supply‑chain risk for organizations that outsource web‑hosting to providers using LiteSpeed‑cPanel stacks. A compromised host can be used to pivot into customer environments, exfiltrate data, or host ransomware.

Recommended Actions

  • Immediately inventory all third‑party hosting providers that run LiteSpeed with the cPanel plugin.
  • Push emergency mitigation: restrict cPanel access to trusted IPs, enforce MFA, and monitor for anomalous script execution.
  • Contact providers for patch status; if no fix is forthcoming, consider temporary migration to alternative web‑server stacks.
  • Deploy host‑based IDS/EDR to detect unexpected root processes.
  • Update incident‑response playbooks to include this specific CVE.

Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →