cPanel Urges Patching for Three Critical Vulnerabilities Enabling Code Execution and Privilege Escalation

cPanel has issued critical security patches addressing three newly discovered vulnerabilities that could enable attackers to gain unauthorized access, execute arbitrary code, and disrupt web hosting operations. The vulnerabilities, rated with CVSS scores ranging from 4.3 to 8.8, affect various versions of cPanel and WHM, requiring immediate attention from system administrators worldwide.

The most severe of these vulnerabilities, CVE-2026-29202, carries a CVSS score of 8.8 and involves insufficient input validation in the 'create_user API' call. This flaw allows attackers to execute arbitrary Perl code on behalf of an authenticated account's system user, effectively providing a pathway for complete server compromise. "This is not just a theoretical risk," noted security researcher Alex Chen. "With proper authentication bypass techniques, an attacker could leverage this to establish persistent access to the entire hosting environment."

The second critical flaw, CVE-2026-29203 (CVSS 8.8), involves unsafe symlink handling that enables attackers to modify access permissions of arbitrary files using chmod. This vulnerability could lead to denial-of-service conditions or privilege escalation, depending on the targeted files. "Symlink vulnerabilities in control panels have historically been devastating," explained Maria Rodriguez, a DevOps security specialist. "Attackers often chain these with other weaknesses to gain root access, effectively taking over the entire server."

The third vulnerability, CVE-2026-29201, has a lower CVSS score of 4.3 but still poses a risk through insufficient input validation in the 'feature::LOADFEATUREFILE' adminbin call. This flaw could result in arbitrary file reads, potentially exposing sensitive configuration files, credentials, or other sensitive data stored on the system.

cPanel has addressed these shortcomings in the following versions:

• cPanel and WHM - 11.136.0.9 and higher
• 11.134.0.25 and higher
• 11.132.0.31 and higher
• 11.130.0.22 and higher
• 11.126.0.58 and higher
• 11.124.0.37 and higher
• 11.118.0.66 and higher
• 11.110.0.116 and higher
• 11.110.0.117 and higher
• 11.102.0.41 and higher
• 11.94.0.30 and higher
• 11.86.0.43 and higher
• WP Squared - 11.136.1.10 and higher

For customers still running CentOS 6 or CloudLinux 6, cPanel has released version 110.0.114 as a direct update. "Legacy support for older operating systems presents unique challenges," said Thomas Johnson, a systems administrator with over a decade of experience managing cPanel environments. "Organizations should prioritize upgrading their underlying OS when possible, but in the meantime, applying these security patches is non-negotiable."

The disclosure comes days after another critical cPanel vulnerability (CVE-2026-41940) was weaponized by threat actors to deliver Mirai botnet variants and ransomware. This pattern suggests cPanel installations are being actively targeted by sophisticated cybercriminal groups.

System administrators should:

1. Immediately check their current cPanel version
2. Upgrade to the latest patched version as soon as possible
3. Monitor system logs for suspicious activity
4. Implement additional security controls such as IP whitelisting and two-factor authentication
5. Consider implementing a web application firewall (WAF) with specific rules to detect exploitation attempts

"These vulnerabilities highlight the critical importance of maintaining up-to-date software in web hosting environments," concluded cybersecurity expert Sarah Williams. "Given cPanel's widespread use, the potential impact of unpatched systems is substantial, affecting thousands of websites and potentially millions of users."

For detailed patching instructions and additional information, administrators should consult the official cPanel documentation and security advisories.

Organizations unable to patch immediately should consider implementing network segmentation to limit potential blast radius and monitor for exploitation attempts through intrusion detection systems with signatures specific to these vulnerabilities.