cPanel & WHM Fixes High-Severity Vulnerabilities Enabling RCE and Privilege Escalation
cPanel & WHM has released security updates addressing three vulnerabilities that could allow arbitrary file read, remote code execution (RCE), denial-of-service (DoS), and potential privilege escalation.
Two of the flaws — CVE-2026-29202 and CVE-2026-29203 — carry a CVSS score of 8.8 and pose significant risks to hosting environments if left unpatched.
The disclosure follows the recent exploitation of another critical cPanel vulnerability, CVE-2026-41940, which attackers used to deploy Mirai botnet variants and the Sorry ransomware strain.
Vulnerability Details
CVE-2026-29201 — Arbitrary File Read
- CVSS Score: 4.3
- Component:
feature::LOADFEATUREFILEadminbin call - Issue: Insufficient validation of feature file names
- Impact: Arbitrary file read
The vulnerability stems from improper input validation in the feature loading mechanism, potentially allowing attackers to access unintended files on the server.
CVE-2026-29202 — Arbitrary Perl Code Execution
- CVSS Score: 8.8
- Component:
create_user API - Issue: Improper validation of the
pluginparameter - Impact: Arbitrary Perl code execution as the authenticated account’s system user
An authenticated attacker could exploit the flaw to execute malicious Perl code on the affected system, potentially leading to server compromise.
CVE-2026-29203 — Symlink Handling Privilege Escalation
- CVSS Score: 8.8
- Issue: Unsafe symlink handling during
chmodoperations - Impact: Denial-of-service and possible privilege escalation
The flaw allows a local user to manipulate permissions of arbitrary files via symlink abuse techniques.
Patched Versions
cPanel & WHM
The vulnerabilities have been addressed in the following releases:
- 11.136.0.9 and later
- 11.134.0.25 and later
- 11.132.0.31 and later
- 11.130.0.22 and later
- 11.126.0.58 and later
- 11.124.0.37 and later
- 11.118.0.66 and later
- 11.110.0.116 and later
- 11.110.0.117 and later
- 11.102.0.41 and later
- 11.94.0.30 and later
- 11.86.0.43 and later
WP Squared
- 11.136.1.10 and later
Additionally, cPanel released 11.110.0.114 as a direct upgrade path for legacy systems still running:
- CentOS 6
- CloudLinux 6
Threat Landscape
Although there is currently no evidence of active exploitation of these newly disclosed vulnerabilities, the announcement comes shortly after threat actors weaponized CVE-2026-41940 as a zero-day exploit.
Attackers reportedly leveraged the flaw to deploy:
- Mirai botnet variants
- Sorry ransomware
The incidents underscore the increasing focus on web hosting infrastructure and administrative platforms by cybercriminal groups.
Mitigation Recommendations
Administrators should take the following actions immediately:
- Upgrade cPanel & WHM to the latest patched versions
- Audit authenticated user activity and API access logs
- Restrict unnecessary plugin functionality
- Monitor systems for suspicious Perl execution activity
- Review filesystem permissions and symlink protections
- Isolate vulnerable or legacy systems where updates are not immediately possible
Key Takeaways
- cPanel patched three vulnerabilities impacting WHM and related products.
- The flaws enable arbitrary file read, RCE, DoS, and possible privilege escalation.
- Two vulnerabilities received a high-severity CVSS score of 8.8.
- No in-the-wild exploitation has been observed yet.
- The disclosure follows recent attacks exploiting another cPanel zero-day tied to Mirai and ransomware deployment.