New cPanel & WHM Flaws Allow Code Execution Enable Attacks

cPanel has disclosed three critical security vulnerabilities—<a href="https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08

The flaws, patched on May 8, 2026, expose servers to arbitrary file reads, Perl code injection, and denial-of-service (DoS) attacks, making immediate patching essential for hosting providers and server administrators.

In April, another cPanel vulnerability, tracked as CVE-2026-41940, was exploited in the wild, enabling attackers to completely bypass login mechanisms.

CVE-2026-29201: Arbitrary File Read via Path Traversal

The first vulnerability resides in the feature::LOADFEATUREFILE adminbin call, which fails to adequately validate the feature file name parameter. An attacker can pass a relative path as the argument, causing an arbitrary file on the server to be made world-readable.

This type of path traversal flaw can expose sensitive system files, including configuration files, credentials, and private keys — giving attackers a foothold for deeper compromise.

CVE-2026-29202: Perl Code Injection in User Creation API

The second and most severe flaw is a Perl code injection vulnerability discovered in the create_user API call, specifically related to the plugin parameter. When unsanitized input reaches this parameter, attackers can inject and execute arbitrary Perl code on the server. Remote code execution (RCE) vulnerabilities of this nature carry the highest risk, potentially allowing full server takeover, data exfiltration, and deployment of malware or backdoors across hosted environments.

CVE-2026-29203: Unsafe Symlink Handling

The third flaw stems from unsafe symlink handling that permits a user to chmod an arbitrary file on the system.

This misconfiguration can be exploited to disrupt critical system operations, resulting in denial-of-service conditions, and could also be chained with other vulnerabilities to escalate privileges and gain unauthorized administrative access.

Affected Versions and Patched Releases

All three vulnerabilities affect the same range of cPanel & WHM versions. cPanel has released patches across all active branches.

Administrators should update to one of the following versions or higher: 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116, 11.110.0.117, 11.102.0.41, 11.94.0.30, or 11.86.0.43. WP Squared users should upgrade to version 11.136.1.10 or higher.

Servers running CentOS 6 or CloudLinux 6 can apply a direct update to version 110.0.114 by first setting the upgrade tier with the following command:

sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf

How to Apply the Patch

Administrators can update their cPanel installation immediately by running the forced update script:

/scripts/upcp --force

Once completed, verify the installed version using:

/usr/local/cpanel/cpanel -V

Confirm the version matches one of the patched releases listed above before considering the remediation complete.

Given that CVE-2026-29202 enables direct code execution and CVE-2026-29203 opens the door to privilege escalation, these flaws pose a serious risk to shared hosting environments where multiple tenants operate on a single server.

Hosting providers running unpatched cPanel installations face significant exposure to lateral movement and full server compromise.

Administrators are urged to apply available patches without delay and review server logs for any signs of exploitation activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.