Cpanel
by CPanel
CVEs (413)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41940 | Cri | 0.92 | 9.8 | 0.98 | KEV | Apr 29, 2026 | cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. | |
| CVE-2006-5014 | Hig | 0.61 | 8.8 | 0.04 | Sep 27, 2006 | Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin. | ||
| CVE-2026-29201 | Hig | 0.56 | 8.6 | 0.00 | May 8, 2026 | Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. | ||
| CVE-2026-32993 | Hig | 0.54 | 8.3 | 0.00 | May 13, 2026 | Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response. | ||
| CVE-2026-32991 | Hig | 0.46 | 7.1 | 0.00 | May 13, 2026 | Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account. | ||
| CVE-2018-16236 | Med | 0.40 | 6.1 | 0.01 | Aug 30, 2018 | cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering. | ||
| CVE-2017-5614 | Med | 0.40 | 6.1 | 0.01 | Mar 3, 2017 | Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter. | ||
| CVE-2004-1603 | Med | 0.36 | 5.5 | 0.02 | Oct 18, 2004 | cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled. | ||
| CVE-2017-11441 | Med | 0.35 | 5.4 | 0.01 | Jul 19, 2017 | The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297. | ||
| CVE-2023-29489 | 0.07 | — | 0.66 | Apr 27, 2023 | An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. | |||
| CVE-2004-1769 | 0.05 | — | 0.30 | Mar 11, 2004 | The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass. | |||
| CVE-2008-6843 | 0.04 | — | 0.07 | Jul 2, 2009 | Directory traversal vulnerability in index.php in Fantastico, as used with cPanel 11.x, allows remote attackers to read arbitrary files via a .. (dot dot) in the sup3r parameter. | |||
| CVE-2004-1770 | 0.04 | — | 0.10 | Mar 11, 2004 | The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter. | |||
| CVE-2003-1425 | 0.04 | — | 0.11 | Dec 31, 2003 | guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter. | |||
| CVE-2009-4823 | 0.03 | — | 0.02 | Apr 27, 2010 | Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter. | |||
| CVE-2008-7142 | 0.03 | — | 0.03 | Sep 1, 2009 | Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter. | |||
| CVE-2008-6927 | 0.03 | — | 0.04 | Aug 10, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5)… | |||
| CVE-2009-2275 | 0.03 | — | 0.04 | Jul 1, 2009 | Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter. | |||
| CVE-2008-2478 | 0.03 | — | 0.04 | May 28, 2008 | scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this,… | |||
| CVE-2008-2070 | 0.03 | — | 0.02 | May 12, 2008 | The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase,… |
- risk 0.92cvss 9.8epss 0.98
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
- risk 0.61cvss 8.8epss 0.04
Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin.
- risk 0.56cvss 8.6epss 0.00
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
- risk 0.54cvss 8.3epss 0.00
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
- risk 0.46cvss 7.1epss 0.00
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
- risk 0.40cvss 6.1epss 0.01
cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.
- risk 0.40cvss 6.1epss 0.01
Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter.
- risk 0.36cvss 5.5epss 0.02
cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled.
- risk 0.35cvss 5.4epss 0.01
The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297.
- CVE-2023-29489Apr 27, 2023risk 0.07cvss —epss 0.66
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
- CVE-2004-1769Mar 11, 2004risk 0.05cvss —epss 0.30
The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.
- CVE-2008-6843Jul 2, 2009risk 0.04cvss —epss 0.07
Directory traversal vulnerability in index.php in Fantastico, as used with cPanel 11.x, allows remote attackers to read arbitrary files via a .. (dot dot) in the sup3r parameter.
- CVE-2004-1770Mar 11, 2004risk 0.04cvss —epss 0.10
The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter.
- CVE-2003-1425Dec 31, 2003risk 0.04cvss —epss 0.11
guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.
- CVE-2009-4823Apr 27, 2010risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
- CVE-2008-7142Sep 1, 2009risk 0.03cvss —epss 0.03
Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter.
- CVE-2008-6927Aug 10, 2009risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5)…
- CVE-2009-2275Jul 1, 2009risk 0.03cvss —epss 0.04
Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter.
- CVE-2008-2478May 28, 2008risk 0.03cvss —epss 0.04
scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this,…
- CVE-2008-2070May 12, 2008risk 0.03cvss —epss 0.02
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase,…
Page 1 of 21