Critical cPanel Flaws Allow Access to Sensitive System

A critical wave of security vulnerabilities impacting cPanel and WebHost Manager (WHM) has prompted web hosting administrators globally to initiate urgent patching efforts.

Threat actors are currently eyeing newly disclosed flaws that grant unauthenticated access to sensitive system resources, potentially allowing complete server compromise.

Recent security updates from cPanel address multiple high-severity flaws that pose a critical risk to shared hosting ecosystems.

The cPanel Vulnerabilities

The most alarming of the recently patched vulnerabilities carries a critical CVSS score of 9.8, alongside other serious bugs that open the door to denial-of-service (DoS) conditions and severe account abuse.

Among the specifically detailed threats is CVE-2026-29202, a severe issue with a CVSS score of 8.8 that stems from insufficient input validation of the “plugin” parameter during a “create_user” API call.

If exploited, this allows an attacker to execute arbitrary Perl code with the system permissions of an already-authenticated account’s system user.

Another newly patched flaw, CVE-2026-29201, enables arbitrary file reads due to poor validation of feature file names, exposing underlying server configurations to unauthorized viewers.

The threat landscape for Linux-based hosting servers is further complicated by concurrent vulnerabilities in underlying infrastructure software.

On May 7, 2026, researchers disclosed “Dirty Frag” (tracked as CVE-2026-43284 and CVE-2026-43500), a local privilege escalation flaw in the Linux kernel’s page cache.

Discovered by independent researcher Hyunwoo Kim, this exploit shares similarities with the notorious 2022 Dirty Pipe bug and allows a low-level local user to obtain full root administrative control easily.

Additionally, email services bundled with many hosting servers face severe risks from the Exim vulnerability CVE-2026-40684.

This medium-severity flaw allows attackers to crash connection instances by supplying malformed DNS data in PTR records, resulting in a denial-of-service condition on systems using musl libc.

System administrators running affected infrastructure must prioritize patching immediately to prevent server takeover.

The cPanel updates resolve these critical paths to code execution and privilege escalation for multiple version branches, including systems running versions 11.136.0.8 and lower.

Security teams should quickly update cPanel, WHM, and WP Squared installations to the newest available releases, while simultaneously auditing server access logs for unauthorized API calls or unusual local file reads that might indicate active exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.