cPanel & WHM Fixes High-Severity Vulnerabilities Enabling RCE and Privilege Escalation

cPanel & WHM has released security updates addressing three vulnerabilities that could allow arbitrary file read, remote code execution (RCE), denial-of-service (DoS), and potential privilege escalation.

Two of the flaws — CVE-2026-29202 and CVE-2026-29203 — carry a CVSS score of 8.8 and pose significant risks to hosting environments if left unpatched.

The disclosure follows the recent exploitation of another critical cPanel vulnerability, CVE-2026-41940, which attackers used to deploy Mirai botnet variants and the Sorry ransomware strain.

Vulnerability Details

CVE-2026-29201 — Arbitrary File Read

  • CVSS Score: 4.3
  • Component: feature::LOADFEATUREFILE adminbin call
  • Issue: Insufficient validation of feature file names
  • Impact: Arbitrary file read

The vulnerability stems from improper input validation in the feature loading mechanism, potentially allowing attackers to access unintended files on the server.

CVE-2026-29202 — Arbitrary Perl Code Execution

  • CVSS Score: 8.8
  • Component: create_user API
  • Issue: Improper validation of the plugin parameter
  • Impact: Arbitrary Perl code execution as the authenticated account’s system user

An authenticated attacker could exploit the flaw to execute malicious Perl code on the affected system, potentially leading to server compromise.

CVE-2026-29203 — Symlink Handling Privilege Escalation

  • CVSS Score: 8.8
  • Issue: Unsafe symlink handling during chmod operations
  • Impact: Denial-of-service and possible privilege escalation

The flaw allows a local user to manipulate permissions of arbitrary files via symlink abuse techniques.

Patched Versions

cPanel & WHM

The vulnerabilities have been addressed in the following releases:

  • 11.136.0.9 and later
  • 11.134.0.25 and later
  • 11.132.0.31 and later
  • 11.130.0.22 and later
  • 11.126.0.58 and later
  • 11.124.0.37 and later
  • 11.118.0.66 and later
  • 11.110.0.116 and later
  • 11.110.0.117 and later
  • 11.102.0.41 and later
  • 11.94.0.30 and later
  • 11.86.0.43 and later

WP Squared

  • 11.136.1.10 and later

Additionally, cPanel released 11.110.0.114 as a direct upgrade path for legacy systems still running:

  • CentOS 6
  • CloudLinux 6

Threat Landscape

Although there is currently no evidence of active exploitation of these newly disclosed vulnerabilities, the announcement comes shortly after threat actors weaponized CVE-2026-41940 as a zero-day exploit.

Attackers reportedly leveraged the flaw to deploy:

  • Mirai botnet variants
  • Sorry ransomware

The incidents underscore the increasing focus on web hosting infrastructure and administrative platforms by cybercriminal groups.

Mitigation Recommendations

Administrators should take the following actions immediately:

  • Upgrade cPanel & WHM to the latest patched versions
  • Audit authenticated user activity and API access logs
  • Restrict unnecessary plugin functionality
  • Monitor systems for suspicious Perl execution activity
  • Review filesystem permissions and symlink protections
  • Isolate vulnerable or legacy systems where updates are not immediately possible

Key Takeaways

  • cPanel patched three vulnerabilities impacting WHM and related products.
  • The flaws enable arbitrary file read, RCE, DoS, and possible privilege escalation.
  • Two vulnerabilities received a high-severity CVSS score of 8.8.
  • No in-the-wild exploitation has been observed yet.
  • The disclosure follows recent attacks exploiting another cPanel zero-day tied to Mirai and ransomware deployment.