cPanel has launched updates to handle three vulnerabilities in cPanel and Net Host Supervisor (WHM) that might be exploited to attain privilege escalation, code execution, and denial-of-service.
The listing of vulnerabilities is as follows –
- CVE-2026-29201 (CVSS rating: 4.3) – An inadequate enter validation of the function file title within the “function::LOADFEATUREFILE” adminbin name that might end in an arbitrary file learn.
- CVE-2026-29202 (CVSS rating: 8.8) – An inadequate enter validation of the “plugin” parameter within the “create_user API” name that might end in arbitrary Perl code execution on behalf of the already authenticated account’s system consumer.
- CVE-2026-29203 (CVSS rating: 8.8) – An unsafe symlink dealing with vulnerability that permits a consumer to switch entry permissions of an arbitrary file utilizing chmod, leading to denial-of-service or attainable privilege escalation.
The shortcomings have been patched within the following variations –
- cPanel and WHM –
- 11.136.0.9 and better
- 11.134.0.25 and better
- 11.132.0.31 and better
- 11.130.0.22 and better
- 11.126.0.58 and better
- 11.124.0.37 and better
- 11.118.0.66 and better
- 11.110.0.116 and better
- 11.110.0.117 and better
- 11.102.0.41 and better
- 11.94.0.30 and better
- 11.86.0.43 and better
- WP Squared –
cPanel has launched 110.0.114 as a direct replace for purchasers who’re nonetheless on CentOS 6 or CloudLinux 6. Customers are suggested to replace to the most recent variations for optimum safety.
Whereas there isn’t any proof that the vulnerabilities have been exploited within the wild, the disclosure comes days after one other vital flaw within the product (CVE-2026-41940) has been weaponized by menace actors as a zero-day to ship Mirai botnet variants and a ransomware pressure referred to as Sorry.
