New cPanel and WHM Flaws Enable Code Execution, DoS Attacks

HomeCyber Security News New cPanel and WHM Flaws Enable Code Execution, DoS Attacks By Guru Baran May 10, 2026 cPanel has disclosed three critical security vulnerabilities tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 affecting its widely deployed cPanel & WHM web hosting control panel and WP Squared (WP2) platform. The flaws, patched on May 8, 2026, expose servers to arbitrary file reads, Perl code injection, and denial-of-service (DoS) attacks, making immediate patching essential for hosting providers and server administrators. In April, another cPanel vulnerability, tracked as CVE-2026-41940, was exploited in the wild, enabling attackers to completely bypass login mechanisms. CVE-2026-29201: Arbitrary File Read via Path Traversal The first vulnerability resides in the feature::LOADFEATUREFILE adminbin call, which fails to adequately validate the feature file name parameter. An attacker can pass a relative path as the argument, causing an arbitrary file on the server to be made world-readable. This type of path traversal flaw can expose sensitive system files, including configuration files, credentials, and private keys — giving attackers a foothold for deeper compromise. CVE-2026-29202: Perl Code Injection in User Creation API The second and most severe flaw is a Perl code injection vulnerability discovered in the create_user API call, specifically related to the plugin parameter. When unsanitized input reaches this parameter, attackers can inject and execute arbitrary Perl code on the server. Remote code execution (RCE) vulnerabilities of this nature carry the highest risk, potentially allowing full server takeover, data exfiltration, and deployment of malware or backdoors across hosted environments. CVE-2026-29203: Unsafe Symlink Handling The third flaw stems from unsafe symlink handling that permits a user to chmod an arbitrary file on the system. This misconfiguration can be exploited to disrupt critical system operations, resulting in denial-of-service conditions, and could also be chained with other vulnerabilities to escalate privileges and gain unauthorized administrative access. Affected Versions and Patched Releases All three vulnerabilities affect the same range of cPanel & WHM versions. cPanel has released patches across all active branches. Administrators should update to one of the following versions or higher: 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116, 11.110.0.117, 11.102.0.41, 11.94.0.30, or 11.86.0.43. WP Squared users should upgrade to version 11.136.1.10 or higher. Servers running CentOS 6 or CloudLinux 6 can apply a direct update to version 110.0.114 by first setting the upgrade tier with the following command: sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf How to Apply the Patch Administrators can update their cPanel installation immediately by running the forced update script: /scripts/upcp --force Once completed, verify the installed version using: /usr/local/cpanel/cpanel -V Confirm the version matches one of the patched releases listed above before considering the remediation complete. Given that CVE-2026-29202 enables direct code execution and CVE-2026-29203 opens the door to privilege escalation, these flaws pose a serious risk to shared hosting environments where multiple tenants operate on a single server. Hosting providers running unpatched cPanel installations face significant exposure to lateral movement and full server compromise. Administrators are urged to apply available patches without delay and review server logs for any signs of exploitation activity. Cybercriminals now enter through your suppliers instead of your front door – Free Webinar Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released New Salat Malware Uses QUIC and WebSocket Channels for Stealthy Remote Control Remus Infostealer Uses Lumma-Style Browser Key Theft and Application-Bound Encryption Bypass CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs and Mobile Notifications New Attribution Framework Connects APT Campaigns Through Strategic, Operational, and Technical Layers Latest News Cyber Security News NVIDIA Data Breach Reportedly Exposes Personal Information of GeForce Users Cyber Security Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident Cyber Security Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information Cyber Security News New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials Cyber Security News Hackers Deploy Modular RAT With Credential Theft and Screenshot Capture Capabilities