Critical cPanel & WHM Vulnerabilities Let Attackers Execute Code, Launch DoS
Key Takeaways cPanel & WHM have critical vulnerabilities enabling arbitrary file reads, Perl code injection, and denial-of-service (DoS) attacks. The most severe flaw, CVE-2026-29202, allows...
Key Takeaways
- cPanel & WHM have critical vulnerabilities enabling arbitrary file reads, Perl code injection, and denial-of-service (DoS) attacks.
- The most severe flaw, CVE-2026-29202, allows remote code execution (RCE) via Perl code injection.
- All active branches of cPanel & WHM are affected, including versions 11.136, 11.134, 11.132, 11.130, 11.126, 11.124, 11.118, 11.110, 11.102, 11.94, and 11.86.
- Patches were released on May 8, 2026; immediate updates are strongly recommended for all administrators and hosting providers.
Critical Flaws Discovered in cPanel & WHM Exposing Servers to RCE and DoS
cPanel has released urgent security updates to address three critical vulnerabilities in its widely used cPanel & WHM control panel software. These flaws, identified as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, were patched on May 8, 2026. They collectively enable attackers to read arbitrary files, inject Perl code for remote execution, and launch denial-of-service attacks, posing a severe risk to hosting environments and server administrators.
Table Of Content
- Key Takeaways
- Critical Flaws Discovered in cPanel & WHM Exposing Servers to RCE and DoS
- CVE-2026-29201: Path Traversal Leading to Arbitrary File Read
- CVE-2026-29202: Perl Code Injection in User Creation API
- CVE-2026-29203: Unsafe Symlink Handling and DoS Potential
- Affected Versions and Patched Releases
- What You Should Do
This disclosure follows an active exploitation in April of another critical cPanel vulnerability, CVE-2026-41940, which allowed attackers to bypass login mechanisms entirely. The ongoing discovery of severe vulnerabilities underscores the critical need for timely patching and robust security practices among cPanel users.
CVE-2026-29201: Path Traversal Leading to Arbitrary File Read
The first vulnerability, CVE-2026-29201, is a path traversal flaw residing within the feature::LOADFEATUREFILE adminbin call. This component fails to adequately validate the feature file name parameter. An attacker can exploit this by supplying a relative path as an argument, making any file on the server world-readable.
Such a vulnerability can expose highly sensitive system files, including configuration data, user credentials, and private cryptographic keys. Access to these assets can serve as a critical stepping stone for adversaries to deepen their compromise of the system.
CVE-2026-29202: Perl Code Injection in User Creation API
The most critical of the three identified flaws is CVE-2026-29202, a Perl code injection vulnerability. This flaw impacts the create_user API call, specifically through the plugin parameter. Insufficient sanitization of input to this parameter allows an attacker to inject and execute arbitrary Perl code on the server.
Remote Code Execution (RCE) vulnerabilities like this represent the highest level of risk, potentially leading to a complete server takeover. Attackers could exfiltrate sensitive data, deploy malware, or establish persistent backdoors across entire hosted environments.
CVE-2026-29203: Unsafe Symlink Handling and DoS Potential
The third vulnerability, CVE-2026-29203, stems from unsafe symbolic link handling. This allows an authenticated user to modify the permissions of an arbitrary file on the system using chmod. While seemingly less severe, this flaw can be leveraged to disrupt critical system operations, leading to denial-of-service (DoS) conditions.
Furthermore, CVE-2026-29203 could be chained with other vulnerabilities to escalate privileges, potentially granting unauthorized administrative access to an attacker.
Affected Versions and Patched Releases
All three vulnerabilities impact the same range of cPanel & WHM versions. cPanel has issued patches across all actively maintained branches. Administrators must update their installations to one of the following versions or newer:
- 11.136.0.9
- 11.134.0.25
- 11.132.0.31
- 11.130.0.22
- 11.126.0.58
- 11.124.0.37
- 11.118.0.66
- 11.110.0.116
- 11.110.0.117
- 11.102.0.41
- 11.94.0.30
- 11.86.0.43
Users of WP Squared should specifically upgrade to version 11.136.1.10 or higher. For servers running CentOS 6 or CloudLinux 6, a direct update to version 110.0.114 is available by first setting the upgrade tier using the command: sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf.
What You Should Do
- Apply Patches Immediately: Run the forced update script on your cPanel installation:
/scripts/upcp --force. - Verify Installation: After updating, confirm the installed version using:
/usr/local/cpanel/cpanel -V. Ensure it matches one of the patched releases listed above. - Review Logs: Scrutinize server logs for any indicators of compromise or exploitation activity, especially given the severity of the Perl code injection vulnerability.
- Isolate Shared Environments: For hosting providers, be aware that these flaws, particularly the RCE and privilege escalation risks, pose a significant threat to shared hosting environments. Implement additional isolation measures where possible.
- Stay Updated: Regularly monitor cPanel’s security announcements and apply updates promptly to mitigate future risks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.