High severity8.8NVD Advisory· Published May 8, 2026· Updated May 13, 2026
CVE-2026-29202
CVE-2026-29202
Description
Insufficient input validation of the plugin parameter of the create_user plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Patches
Vulnerability mechanics
References
1News mentions
2- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch NowThe Hacker News · May 9, 2026