Cpanel

vulnerabilities 2026-05-24
LiteSpeed cPanel Plugin CVE-2026-48172: Any User Can Run Scripts as Root
A CVSS 10.0 flaw in the LiteSpeed User-End cPanel Plugin lets any logged-in cPanel user execute scripts as root. It is being exploited in the wild — patch or uninstall now.
cpanel litespeed privilege-escalation cve-2026-48172 web-hosting active-exploitation
vulnerability 2026-05-10
cPanel Ships Second Emergency TSR in 10 Days: CVE-2026-29201, 29202, 29203 Patch RCE, Arbitrary File Read, DoS
cPanel released its second emergency Technical Security Release in 10 days on May 8, patching three new flaws — including a CVSS 8.8 Perl injection in create_user and a chmod-based privilege escalation — barely a week after the CVE-2026-41940 authentication-bypass meltdown.
cpanel whm rce perl hosting shared-hosting tsr patch-tuesday-adjacent
vulnerabilities 2026-04-29
cPanel & WHM CVE-2026-41940: Critical Auth Bypass Triggers Global Hosting Lockdown
An unauthenticated CRLF-injection auth bypass in cPanel & WHM (CVSS 9.8) sent every major hosting provider into emergency port-blocking mode within hours of disclosure. All supported release tracks are affected.
cpanel whm authentication-bypass CVE-2026-41940 web-hosting shared-hosting

LiteSpeed cPanel Plugin CVE-2026-48172: Any User Can Run Scripts as Root