CISA Adds LiteSpeed cPanel Plugin Privilege Escalation Flaw to KEV Catalog
CISA has added CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin, to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The flaw, tracked as CVE-2026-48172, is a privilege escalation vulnerability in the LiteSpeed cPanel Plugin. This plugin is widely used by web hosting providers to integrate the LiteSpeed web server with cPanel, a popular hosting control panel.
Privilege escalation vulnerabilities allow an attacker with limited access to gain higher-level permissions on a system. In the context of a web hosting environment, successful exploitation of CVE-2026-48172 could enable a malicious actor to move from a low-privileged account to root or administrative access, potentially compromising the entire server and all hosted websites. CISA describes this type of vulnerability as a frequent attack vector for malicious cyber actors and notes that it poses significant risks to the federal enterprise.
The addition to the KEV Catalog is driven by Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by a specified due date. While the directive only applies to federal agencies, CISA strongly urges all organizations to prioritize patching CVE-2026-48172 as part of their vulnerability management practices. The agency will continue to add vulnerabilities to the catalog that meet the specified criteria of active exploitation and significant risk.
LiteSpeed Technologies has not yet released a public advisory specifically addressing CVE-2026-48172, but users of the LiteSpeed cPanel Plugin are advised to check for updates and apply any available patches immediately. The plugin is commonly deployed on shared hosting environments, where a single server may host hundreds or thousands of websites, making the potential blast radius of a successful exploit particularly large.
This KEV addition comes amid a broader trend of CISA rapidly cataloging actively exploited vulnerabilities to drive emergency patching. The agency has added several other flaws to the catalog in recent weeks, including vulnerabilities in Langflow, Trend Micro Apex One, and Microsoft Defender. The inclusion of CVE-2026-48172 underscores the persistent threat posed by privilege escalation bugs in widely deployed server software.
Organizations that use the LiteSpeed cPanel Plugin should verify their current version and apply any security updates as soon as they become available. CISA's KEV Catalog serves as a critical resource for prioritizing remediation efforts, and the agency continues to urge all organizations to treat KEV-listed vulnerabilities as urgent patching priorities.