cPanel pushed an emergency Technical Security Release on May 8 at 12:00 EST patching three new vulnerabilities in cPanel & WHM. It is the second emergency TSR the company has shipped in 10 days, arriving on the heels of CVE-2026-41940 — the authentication-bypass flaw that compromised an estimated 44,000 servers and roughly 70 million hosted domains in late April. If you administer a cPanel box and you patched 41940 last week, you are not done. Patch again.
The three CVEs
CVE-2026-29201 (CVSS 4.3) — Arbitrary file read via the feature::LOADFEATUREFILE adminbin call. The handler fails to validate the feature filename argument, so a relative path traversal causes the targeted file to be chmod’d world-readable on disk. The CVSS understates the blast radius: world-readable /etc/shadow, world-readable per-user cpanel.config, world-readable API token files. Once the bit flips, anyone with a local account on a shared host can read it.
CVE-2026-29202 (CVSS 8.8) — Arbitrary Perl code execution through insufficient input validation of the plugin parameter in create_user API calls. An authenticated reseller (or anyone who has reached reseller-equivalent context through the prior 41940 chain) can pass a crafted plugin reference and execute Perl in the cPanel daemon’s context, which is root on most deployments. This is the headline RCE.
CVE-2026-29203 (CVSS 8.8) — Unsafe symlink handling lets a user modify the access permissions of an arbitrary file via chmod. The straightforward read is denial-of-service: chmod the right file 000 and a customer site goes dark. The harder read is privilege escalation: chmod /etc/shadow 666, write yourself in, su to root. Researchers were careful in the disclosure not to publish the exact gadget, but the path is obvious to anyone who has looked at this kind of bug before.
The 10-day storm
On April 28, cPanel disclosed CVE-2026-41940, a pre-authentication WHM authentication bypass. The fix went out within hours, but the exploit window was already weeks open in some telemetry, and ransomware crews took advantage of it: at least 44,000 servers across roughly 70 million domains were observed compromised in the days following disclosure. Several large shared-hosting providers — the kind whose customers do not patch their own boxes because the host does it for them — were caught flat-footed.
Ten days later, here is the second TSR. The pattern matters. cPanel’s normal cadence is one TSR per month, sometimes per quarter. Two emergency releases in 10 days is the kind of cadence you see when an internal review triggered by one incident surfaces a stack of related bugs that were not previously prioritized. Expect a third inside the next 30 days.
What is affected
The advisory covers cPanel & WHM versions 11.110, 11.112, 11.116, and 11.118. Patched builds:
- 11.110.0.66
- 11.112.0.51
- 11.116.0.41
- 11.118.0.27
Anything older than 11.110 is end-of-life and will not receive a patch. If you are still on 11.108 or below, you are running unsupported code on a box that is now being scanned by the same operators who burned through 41940.
Mitigation
Update immediately via /usr/local/cpanel/scripts/upcp --force. Do not wait for your nightly auto-update window — given the 41940 fallout, opportunistic scans for these new bugs started within hours of disclosure.
If you cannot update right now: disable the create_user API endpoint at the WHM ACL layer to neutralize 29202, and audit /etc/shadow and other sensitive file permissions for unexpected world-readability or recent mtime as a check against in-progress 29201 / 29203 exploitation. Review reseller account creation logs for the last 10 days; the 41940 compromise window means attackers may already have reseller-tier footholds waiting on 29202 to land.
Why this matters
cPanel runs on the boring middle of the internet — the shared-hosting providers serving small business sites, WordPress installs, mom-and-pop ecommerce. The customers do not have security teams. The hosts often do not either. When cPanel ships back-to-back emergency patches, the class of operator best positioned to exploit them is exactly the ransomware-as-a-service crews who have already proven they can monetize this stack: encrypt the server, exfil the customer databases, demand from both the host and the downstream tenants.
If you operate cPanel infrastructure, treat the next 30 days as an active-incident window even if you have no IOCs.