Cagefs

vulnerability 2026-06-18
LiteSpeed cPanel Plugin CVE-2026-54420: A Symlink Trick That Escapes CageFS for Root
An actively-exploited symlink flaw in LiteSpeed's user-end cPanel plugin lets any tenant with FTP or web-shell access break out of CageFS and become root. CISA's federal patch deadline is today.
litespeed cpanel cloudlinux cagefs privilege-escalation cisa-kev shared-hosting

LiteSpeed cPanel Plugin CVE-2026-54420: A Symlink Trick That Escapes CageFS for Root