Multiple Vulnerabilities in cPanel & WHM Posed Security Risks

Multiple Vulnerabilities in cPanel & WHM Posed Security Risks

First seen 10 May 2026, 15:32 UTC support.cpanel.net 86% similarity 74.0

Article Content

Browse articles
ThreatCluster

On May 8, 2026, cPanel & WHM released patches for three critical vulnerabilities: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. CVE-2026-29201 allows arbitrary file reads due to inadequate validation in the LOADFEATUREFILE call. CVE-2026-29202 involves a Perl code injection in the create_user API, while CVE-2026-29203 permits unsafe symlink handling, enabling users to change permissions on arbitrary files. These vulnerabilities affect all versions of cPanel & WHM, particularly impacting users on CentOS 6 or CloudLinux 6. The patches are available, and users are urged to update immediately to mitigate potential risks. The vulnerabilities could lead to denial of service, privilege escalation, and unauthorized access to sensitive files. All affected systems should verify their cPanel versions post-update to ensure security compliance.

Key Points: • cPanel & WHM released patches for three critical vulnerabilities on May 8, 2026. • CVE-2026-29201 allows arbitrary file reads, CVE-2026-29202 involves Perl code injection, and CVE-2026-29203 enables unsafe symlink handling. • Users are strongly advised to update their systems to the latest versions to mitigate risks.

ThreatCluster AI

Timeline

2026-05-08
Patches released for critical vulnerabilities
cPanel & WHM disclosed patches for CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, affecting all versions.
Article 1
2026-05-08
CVE-2026-29201 published
An arbitrary file read vulnerability was identified in the LOADFEATUREFILE call, allowing unauthorized file access.
Article 1
2026-05-08
CVE-2026-29202 published
A Perl code injection vulnerability was found in the create_user API, affecting plugin parameters.
Article 3
2026-05-08
CVE-2026-29203 published
An unsafe symlink handling vulnerability was discovered, allowing users to change permissions on arbitrary files.
Article 2

Community

Browse all →