cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
Source: The Hacker News
Vulnerabilities Fixed
-
CVE‑2026‑29201 (CVSS 4.3) – Insufficient input validation of the feature file name in the
feature::LOADFEATUREFILEadminbin call, allowing arbitrary file read. -
CVE‑2026‑29202 (CVSS 8.8) – Insufficient input validation of the
pluginparameter in thecreate_userAPI call, leading to arbitrary Perl code execution as the authenticated system user. -
CVE‑2026‑29203 (CVSS 8.8) – Unsafe symlink handling that lets a user modify access permissions of an arbitrary file via
chmod, resulting in denial‑of‑service or possible privilege escalation.
Patched Versions
cPanel and WHM
- 11.136.0.9 and higher
- 11.134.0.25 and higher
- 11.132.0.31 and higher
- 11.130.0.22 and higher
- 11.126.0.58 and higher
- 11.124.0.37 and higher
- 11.118.0.66 and higher
- 11.110.0.116 and higher
- 11.110.0.117 and higher
- 11.102.0.41 and higher
- 11.94.0.30 and higher
- 11.86.0.43 and higher
WP Squared
- 11.136.1.10 and higher
cPanel has also released version 110.0.114 as a direct update for customers still on CentOS 6 or CloudLinux 6. Users are advised to upgrade to the latest versions for optimal protection.
Additional Information
There is currently no evidence that these vulnerabilities have been exploited in the wild. The disclosure follows the recent weaponization of another critical flaw, CVE‑2026‑41940, which was used as a zero‑day to deliver Mirai botnet variants and a ransomware strain called Sorry.