Full Report
cPanel security advisory (AV26-488)
Analysis Summary
# Vulnerability: cPanel & WHM / WP Squared Security Updates (May 2026)
## CVE Details
*Note: The provided advisory references internal vendor security identifiers (SEC-73728, SEC-73755). Specific CVE IDs are typically assigned concurrently with these updates but were not explicitly listed in the summary text.*
- **CVE ID:** Pending/Not explicitly listed (Refer to SEC-73728 and SEC-73755)
- **CVSS Score:** Not specified (Severity handled as "Critical/High" per Canadian Centre for Cyber Security advisory status)
- **CWE:** Not specified
## Affected Systems
- **Products:** cPanel & WebHost Manager (WHM), WP Squared
- **Versions:**
- 11.86.0.45 and prior
- 11.94.0.32 and prior
- 11.102.0.43 and prior
- 11.110.0.120 (cl6110) / 11.110.0.121 and prior
- 11.118.0.68 and prior
- 11.124.0.41 and prior
- 11.126.0.62 and prior
- 11.130.0.26 and prior
- 11.132.0.35 and prior
- 11.134.0.29 and prior
- 11.136.0.13 and prior
- WP Squared 11.136.1.16 and prior
- **Configurations:** Systems running the web hosting control panel interface.
## Vulnerability Description
While specific technical details are restricted to the vendor security notes, these updates address vulnerabilities in the cPanel & WHM core software and the WP Squared management interface. Based on the advisory classification, the flaws likely involve unauthorized privilege escalation, remote execution, or data exposure within the hosting management environment.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild at the time of publication.
- **Complexity:** Not specified (Typically Low to Medium for control panel vulnerabilities).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Potential access to user accounts and server configurations).
- **Integrity:** High (Potential modification of website files or server settings).
- **Availability:** High (Potential for service disruption).
## Remediation
### Patches
Users should update to the following versions or newer:
- **cPanel & WHM:** Update to the latest build in your specific release tier (Edge, Current, Release, or Stable).
- **WP Squared:** Update beyond version 11.136.1.16.
### Workarounds
No specific manual workarounds have been provided. Enterprise users should ensure that "Update to the latest version of cPanel & WHM" is enabled in the *Update Preferences* section of WHM.
## Detection
- **Indicators of Compromise:** Monitor `/usr/local/cpanel/logs/access_log` and `/usr/local/cpanel/logs/error_log` for unusual administrative activity or unauthorized login attempts.
- **Detection methods and tools:** Audit internal cPanel user accounts for unauthorized additions or modifications.
## References
- **Vendor advisories:**
- hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40555378241943-Security-SEC-73728-cPanel-WHM-WP2-Security-Update-May-19-2026
- hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40555594160023-Security-SEC-73755-cPanel-WHM-WP2-Security-Update-May-19-2026
- **Relevant links:**
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/cpanel-security-advisory-av26-488