cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now Ravie LakshmananMay 09, 2026Vulnerability / Web Hosting cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read. CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could result in arbitrary Perl code execution on behalf of the already authenticated account's system user. CVE-2026-29203 (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation. The shortcomings have been patched in the following versions - cPanel and WHM - 11.136.0.9 and higher 11.134.0.25 and higher 11.132.0.31 and higher 11.130.0.22 and higher 11.126.0.58 and higher 11.124.0.37 and higher 11.118.0.66 and higher 11.110.0.116 and higher 11.110.0.117 and higher 11.102.0.41 and higher 11.94.0.30 and higher 11.86.0.43 and higher WP Squared - 11.136.1.10 and higher cPanel has released 110.0.114 as a direct update for customers who are still on CentOS 6 or CloudLinux 6. Users are advised to update to the latest versions for optimal protection. While there is no evidence that the vulnerabilities have been exploited in the wild, the disclosure comes days after another critical flaw in the product (CVE-2026-41940) has been weaponized by threat actors as a zero-day to deliver Mirai botnet variants and a ransomware strain called Sorry. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Code Execution, cPanel, cybersecurity, denial of service, privilege escalation, Vulnerability, web hosting, WHM ⚡ Top Stories This Week New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Day Zero Readiness: The Operational Gaps That Break Incident Response PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Trellix Confirms Source Code Breach With Unauthorized Repository Access 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories Load More ▼ ⭐ Featured Resources [Demo] Discover How to Control Autonomous Identity Risks Effectively [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster