Full Report
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result
Analysis Summary
# Vulnerability: Multiple Flaws in cPanel & WHM
## CVE Details
- **CVE ID:**
- CVE-2026-29201
- CVE-2026-29202
- CVE-2026-29203
- **CVSS Score:**
- CVE-2026-29201: **4.3** (Medium)
- CVE-2026-29202: **8.8** (High)
- CVE-2026-29203: **8.8** (High)
- **CWE:** Not specifically listed (Weaknesses involve Insufficient Input Validation and Unsafe Symlink Handling)
## Affected Systems
- **Products:** cPanel, Web Host Manager (WHM), and WP Squared.
- **Versions:**
- cPanel & WHM: Versions prior to 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116, 11.110.0.117, 11.102.0.41, 11.94.0.30, and 11.86.0.43.
- WP Squared: Versions prior to 11.136.1.10.
- **Configurations:** Systems running on CentOS 6 or CloudLinux 6 require a specific direct update (version 110.0.114).
## Vulnerability Description
- **CVE-2026-29201:** Insufficient input validation of the feature file name within the `feature::LOADFEATUREFILE` adminbin call. This flaw allows for arbitrary file reads.
- **CVE-2026-29202:** Insufficient input validation of the `plugin` parameter in the `create_user` API call. This allows an authenticated system user to execute arbitrary Perl code.
- **CVE-2026-29203:** An unsafe symlink handling flaw during `chmod` operations. A user can manipulate access permissions of arbitrary files, leading to Privilege Escalation or Denial-of-Service (DoS).
## Exploitation
- **Status:** No evidence of active exploitation for these specific CVEs at the time of report; however, they follow a recent zero-day (CVE-2026-41940) in the same product line.
- **Complexity:** Medium (CVE-2026-29202 requires an authenticated account).
- **Attack Vector:** Local / Network (API-based and call-based triggers).
## Impact
- **Confidentiality:** High (Arbitrary file read and code execution).
- **Integrity:** High (Ability to modify file permissions and execute code).
- **Availability:** High (Potential for Denial-of-Service via permission manipulation).
## Remediation
### Patches
Update to the following versions or higher:
- **cPanel/WHM:** 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116, 11.110.0.117, 11.102.0.41, 11.94.0.30, 11.86.0.43.
- **WP Squared:** 11.136.1.10.
- **Legacy Systems (CentOS 6/CloudLinux 6):** Update to version 110.0.114.
### Workarounds
No specific workarounds provided; immediate patching is recommended due to the high CVSS scores and the history of recent product exploitation.
## Detection
- **Indicators of Compromise:** Unusual `chmod` activity on system files or suspicious Perl processes initiated by cPanel user accounts.
- **Detection Methods:** Monitor API logs for unexpected `plugin` parameters in `create_user` calls and audit `adminbin` logs for `LOADFEATUREFILE` requests.
## References
- hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201
- hxxps[://]thehackernews[.]com/2026/05/cpanel-whm-patch-3-new-vulnerabilities[.]html
- hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202
- hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203