cPanel patches three WHM flaws enabling code exec, DoS

cPanel and WebHost Manager released updates addressing three security flaws that could allow arbitrary file reads, execution of Perl code and chmod-triggered denial of service or privilege escalation.

CVE-2026-29201 carries a CVSS score of 4.3 and results from insufficient input validation of a feature file name in the adminbin “feature::LOADFEATUREFILE” call. An attacker who can reach the vulnerable call could read files outside intended locations.

CVE-2026-29202 has a CVSS score of 8.8 and stems from weak validation of the “plugin” parameter in the create_user API. Exploitation can allow arbitrary Perl code to run as the system user tied to an already authenticated account.

CVE-2026-29203, also scored 8.8, involves unsafe handling of symbolic links. A user with access to the vulnerable function can change access permissions on an arbitrary file via chmod, which can cause a service disruption or enable privilege escalation.

Related: Unknown actor exploits cPanel flaw targeting SE Asian militaries

cPanel provided patches for multiple release branches. Fixed builds begin at 11.136.0.9 and include maintained branches such as 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116/117, 11.102.0.41, 11.94.0.30 and 11.86.0.43. WP Squared customers should move to 11.136.1.10 or newer. For customers still on CentOS 6 or CloudLinux 6, cPanel released a direct update, version 110.0.114.

Administrators and hosting providers are advised to apply the updates promptly. cPanel reported no confirmed in-the-wild exploitation of these three vulnerabilities at the time of the advisory. The disclosure follows a separate critical flaw, CVE-2026-41940, that was observed being used to deliver Mirai botnet variants and a ransomware family named Sorry.

Control panels run with elevated privileges and manage many hosted accounts. Vulnerabilities that permit code execution or arbitrary permission changes can affect multiple sites and services on a server. Operators are recommended to install the patches, restrict administrative access, and monitor system logs for unusual activity.