Full Report
cPanel security advisory (AV26-404)
Analysis Summary
# Vulnerability: cPanel and WP Squared Security Updates (April 2026)
## CVE Details
*Note: The primary advisory (AV26-404) refers to a collective update. Specific CVE identifiers for each sub-vulnerability are detailed in the vendor's technical documentation linked below.*
- **CVE ID:** CVE-2026-XXXXX (Multiple pending; see vendor advisory)
- **CVSS Score:** Not explicitly provided in the summary (Typically High/Critical for cPanel security releases)
- **CWE:** Varies (Includes Cross-Site Scripting (XSS) and Privilege Escalation flaws)
## Affected Systems
- **Products:** cPanel & WHM, WP Squared
- **Versions:**
- cPanel versions prior to: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, 11.134.0.20
- WP Squared versions prior to: 11.136.1.7
- **Configurations:** Systems running active cPanel/WHM or WP Squared instances accessible via the web or local network.
## Vulnerability Description
While the Canadian Centre for Cyber Security bulletin acts as a high-level notification, these patches typically address several classes of vulnerabilities:
1. **Input Validation Issues:** Failures to properly sanitize user-provided data, leading to potential Cross-Site Scripting (XSS).
2. **Access Control Flaws:** Insecure handling of permissions that could lead to unauthorized administrative actions.
3. **Logic Errors:** Issues in the internal cPanel scripts that may allow for code execution or file manipulation.
## Exploitation
- **Status:** Not exploited in the wild (based on current reporting; typically disclosed via responsible disclosure).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Risk of data exposure/account takeover)
- **Integrity:** High (Risk of unauthorized file/configuration modification)
- **Availability:** Medium (Potential for service disruption)
## Remediation
### Patches
Update to the following versions or later:
- **cPanel/WHM:** 11.110.0.97
- **cPanel/WHM:** 11.118.0.63
- **cPanel/WHM:** 11.126.0.54
- **cPanel/WHM:** 11.132.0.29
- **cPanel/WHM:** 11.136.0.5
- **cPanel/WHM:** 11.134.0.20
- **WP Squared:** 11.136.1.7
### Workarounds
No specific workarounds are recommended. Administrative users should ensure that automatic updates are enabled for cPanel software to receive security binaries immediately.
## Detection
- **Indicators of Compromise:** Unusual administrative log activity in `/usr/local/cpanel/logs/access_log` or unauthorized API calls.
- **Detection Methods:** Audit system logs for unexpected login attempts or privilege escalations in the WHM interface.
## References
- **cPanel & WHM Security Update:** hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- **cPanel Support Topics:** hxxps[://]support[.]cpanel[.]net/hc/en-us/sections/360008753193-Support-Topics
- **Cyber Centre Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/cpanel-security-advisory-av26-404