cPanel & WHM has disclosed three new critical security vulnerabilities that could allow attackers to execute malicious code, read sensitive files, and disrupt servers through denial-of-service attacks.
The newly disclosed flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. The company released security patches for these issues on May 8, 2026, and is urging administrators to update their servers immediately.
The disclosure comes just days after reports about another serious cPanel vulnerability, CVE-2026-41940, which was reportedly exploited in the wild and allowed attackers to bypass login protections completely. The latest vulnerabilities add more pressure on hosting providers and server administrators to secure their systems quickly.
The most severe of the newly discovered flaws is CVE-2026-29202. It affects the create_user API call and can lead to Perl code injection through an unsanitized plugin parameter. Successful exploitation could allow attackers to execute arbitrary Perl code on the server remotely. Security experts generally consider remote code execution vulnerabilities among the most dangerous because they can result in full server compromise, malware deployment, and unauthorized access to hosted websites and customer data.
Another flaw, CVE-2026-29201, is an arbitrary file read vulnerability caused by improper validation in the feature::LOADFEATUREFILE adminbin call. Attackers can exploit the issue using path traversal techniques to make sensitive files readable. This could expose configuration files, credentials, encryption keys, and other important server data.
The third vulnerability, CVE-2026-29203, is related to unsafe symlink handling. The issue allows users to change permissions on arbitrary files within the system. Attackers could abuse this flaw to trigger denial-of-service conditions or potentially combine it with other vulnerabilities for privilege escalation attacks.
According to cPanel, all three vulnerabilities affect multiple supported versions of cPanel & WHM and also impact WP Squared. The company has already released patched versions across active branches.
Administrators are advised to update to patched releases including versions 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116, 11.102.0.41, 11.94.0.30, or 11.86.0.43 and later. WP Squared users should update to version 11.136.1.10 or newer.
cPanel has also provided commands for applying updates manually. Administrators can force an update using:
/scripts/upcp --forceAfter updating, they can verify the installed version with:
/usr/local/cpanel/cpanel -VThe vulnerabilities are dangerous for shared hosting providers where multiple customers operate on the same server environment. A successful exploit could allow attackers to move laterally between accounts or even gain full control over the server.
