cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to cause privilege escalation, code execution, and denial of service.
The list of weaknesses is as follows –
- CVE-2026-29201 (CVSS Score: 4.3) – Insufficient input validation of the feature file name in the “FEATURE::LOADFEATUREFILE” adminbin call resulting in an arbitrary file being read.
- CVE-2026-29202 (CVSS Score: 8.8) – Insufficient input validation of the “plugin” parameter in the “create_user API” call could result in arbitrary Perl code execution on behalf of a system user of an already authenticated account.
- CVE-2026-29203 (CVSS Score: 8.8) – An insecure symlink handling vulnerability that allows a user to modify the access permissions of an arbitrary file by using chmod, resulting in a denial of service or possible privilege escalation.
The deficiencies have been addressed in the following versions –
- cPanel and WHM –
- 11.136.0.9 and higher
- 11.134.0.25 and higher
- 11.132.0.31 and higher
- 11.130.0.22 and higher
- 11.126.0.58 and higher
- 11.124.0.37 and higher
- 11.118.0.66 and higher
- 11.110.0.116 and higher
- 11.110.0.117 and higher
- 11.102.0.41 and higher
- 11.94.0.30 and higher
- 11.86.0.43 and higher
- WP squared –
cPanel has released 110.0.114 as a direct update for customers who are still on CentOS 6 or CloudLinux 6. Users are advised to update to the latest versions for optimal security.
While there is no evidence that the vulnerabilities have been exploited in the wild, the disclosure comes just days after another serious flaw in the product (CVE-2026-41940) was weaponized as a zero-day by threat actors to deliver Mirai botnet variants and a ransomware strain called SoR.
