EXECUTIVE SUMMARY:
cPanel vulnerabilities affecting cPanel and WHM, including, can lead to sensitive file exposure and remote code execution when exploited by authenticated users. These flaws stem from insufficient input validation in administrative APIs such as feature file loading and user plugin creation functions. The vulnerabilities are particularly dangerous in multi-tenant hosting environments because they allow attackers with limited privileges to escalate access, execute arbitrary code, and potentially pivot toward full system compromise. The issues were disclosed alongside emergency patches due to the risk of server takeover in real-world hosting infrastructures. CVE-2026-29201 with a CVSS score of 8.6 – It is an Improper validation of feature file names in feature::LOADFEATUREFILE allows an attacker to supply a crafted relative file path, leading to unauthorized reading of arbitrary files on the server. This can expose sensitive configuration files, credentials, and internal system data. CVE-2026-29202 with a CVSS score of 8.8 – It is an Insufficient validation of the plugin parameter in create_user allows an authenticated cPanel user to execute arbitrary Perl code under their system-level user context. This can be leveraged for further privilege escalation, lateral movement, or full server compromise depending on system configuration.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
cPanel vulnerabilities affecting cPanel and WHM, including, can lead to sensitive file exposure and remote code execution when exploited by authenticated users. These flaws stem from insufficient input validation in administrative APIs such as feature file loading and user plugin creation functions. The vulnerabilities are particularly dangerous in multi-tenant hosting environments because they allow attackers with limited privileges to escalate access, execute arbitrary code, and potentially pivot toward full system compromise. The issues were disclosed alongside emergency patches due to the risk of server takeover in real-world hosting infrastructures. CVE-2026-29201 with a CVSS score of 8.6 – It is an Improper validation of feature file names in feature::LOADFEATUREFILE allows an attacker to supply a crafted relative file path, leading to unauthorized reading of arbitrary files on the server. This can expose sensitive configuration files, credentials, and internal system data. CVE-2026-29202 with a CVSS score of 8.8 – It is an Insufficient validation of the plugin parameter in create_user allows an authenticated cPanel user to execute arbitrary Perl code under their system-level user context. This can be leveraged for further privilege escalation, lateral movement, or full server compromise depending on system configuration.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update cPanel and WHM to below version: CVE-2026-29201: https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026 CVE-2026-29202: https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/cpanel-vulnerabilities/