HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical cPanel Vulnerabilities Enable File Access, Remote Code Execution, and Privilege Escalation Across Hosting Platforms

cPanel disclosed three new flaws—file read, authenticated RCE, and permission‑change attacks—with CVSS scores up to 8.8. While no active exploitation is reported for these CVEs, a separate zero‑day (CVE‑2026‑41940) is already weaponized, making rapid patching essential for hosting providers and their customers.

LiveThreat™ Intelligence · 📅 May 11, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Critical cPanel Vulnerabilities Enable File Access, Remote Code Execution, and Privilege Escalation Across Hosting Platforms

What Happened — cPanel released patches for three newly disclosed flaws (CVE‑2026‑29201, CVE‑2026‑29202, CVE‑2026‑29203) that could allow arbitrary file reads, authenticated Perl code execution, and permission‑change attacks leading to denial‑of‑service or privilege escalation. No active exploitation has been observed for these three CVEs, but a related zero‑day (CVE‑2026‑41940) is already being weaponized by threat actors to deploy Mirai‑derived botnets.

Why It Matters for TPRM

  • Hosting providers and SaaS platforms that rely on cPanel/WHM are exposed to high‑impact code execution and data‑leak vectors.
  • Unpatched instances can become footholds for botnet recruitment, amplifying supply‑chain risk for downstream customers.
  • The rapid emergence of a separate zero‑day underscores the need for aggressive patch management across third‑party infrastructure.

Who Is Affected — Web‑hosting firms, managed service providers, cloud‑hosted SaaS applications, and any organization that outsources web‑server management to cPanel/WHM environments.

Recommended Actions

  • Verify that all cPanel/WHM instances are running the patched releases (≥ 11.136.0.9, 11.134.0.25, 11.132.0.31, or newer).
  • Conduct an inventory scan for the legacy CVE‑2026‑41940 vulnerability using the watchTowr detection artifact.
  • Enforce strict change‑management and patch‑testing processes for third‑party hosting services.

Technical Notes

  • CVE‑2026‑29201 (CVSS 4.3): Input validation flaw in feature::LOADFEATUREFILE allowing arbitrary file reads.
  • CVE‑2026‑29202 (CVSS 8.8): Authenticated RCE via malformed plugin parameter in create_user API, executing Perl code with the caller’s privileges.
  • CVE‑2026‑29203 (CVSS 8.8): Unsafe symlink handling that permits arbitrary chmod operations, enabling DoS or privilege escalation.
  • Recent exploitation of CVE‑2026‑41940 (CVSS 9.3) demonstrates a real‑world authentication bypass that can give attackers full control of the control panel.

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/191931/security/new-cpanel-vulnerabilities-could-allow-file-access-and-remote-code-execution.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →