CISA Adds LiteSpeed cPanel Plugin Privilege Escalation Flaw to KEV Catalog
CISA has added CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin, to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The flaw, tracked as CVE-2026-48172, is a privilege escalation vulnerability in the LiteSpeed cPanel Plugin. This plugin is widely used by web hosting providers to integrate the LiteSpeed web server with cPanel, a popular hosting control panel.
Privilege escalation vulnerabilities allow an attacker with limited access to gain higher-level permissions on a system. In the context of a web hosting environment, successful exploitation of CVE-2026-48172 could enable a malicious actor to move from a low-privileged account to root or administrative access, potentially compromising the entire server and all hosted websites. CISA describes this type of vulnerability as a frequent attack vector for malicious cyber actors and notes that it poses significant risks to the federal enterprise.
The addition to the KEV Catalog is driven by Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by a specified due date. While the directive only applies to federal agencies, CISA strongly urges all organizations to prioritize patching CVE-2026-48172 as part of their vulnerability management practices. The agency will continue to add vulnerabilities to the catalog that meet the specified criteria of active exploitation and significant risk.
LiteSpeed Technologies has not yet released a public advisory specifically addressing CVE-2026-48172, but users of the LiteSpeed cPanel Plugin are advised to check for updates and apply any available patches immediately. The plugin is commonly deployed on shared hosting environments, where a single server may host hundreds or thousands of websites, making the potential blast radius of a successful exploit particularly large.
This KEV addition comes amid a broader trend of CISA rapidly cataloging actively exploited vulnerabilities to drive emergency patching. The agency has added several other flaws to the catalog in recent weeks, including vulnerabilities in Langflow, Trend Micro Apex One, and Microsoft Defender. The inclusion of CVE-2026-48172 underscores the persistent threat posed by privilege escalation bugs in widely deployed server software.
Organizations that use the LiteSpeed cPanel Plugin should verify their current version and apply any security updates as soon as they become available. CISA's KEV Catalog serves as a critical resource for prioritizing remediation efforts, and the agency continues to urge all organizations to treat KEV-listed vulnerabilities as urgent patching priorities.
CISA has now formally added the LiteSpeed cPanel plugin zero-day (CVE-2026-48172) to its Known Exploited Vulnerabilities catalog, ordering federal agencies to apply the vendor patch by June 17, 2026. The advisory confirms that the flaw was exploited in the wild as a zero-day to execute arbitrary scripts with root privileges, underscoring the urgency for all organizations using the plugin to patch immediately.
CISA has now mandated that U.S. federal agencies patch CVE-2026-48172 within four days, by midnight on Friday, May 29, under Binding Operational Directive 22-01, citing active exploitation. The agency also urged all private-sector defenders to prioritize the update, warning that the vulnerability is a frequent attack vector for malicious cyber actors. LiteSpeed previously released urgent security updates for the flaw, which affects plugin versions between v2.3 and v2.4.4.
A new article from Cyber Security News reiterates the KEV addition and provides additional context on the exploitation mechanism, emphasizing that any authenticated cPanel user can execute arbitrary scripts with root privileges, and that the flaw is particularly dangerous in multi-tenant hosting environments. The report also notes that while no ransomware link has been confirmed, the potential for lateral movement and full server compromise remains high, urging organizations to apply patches immediately or restrict permissions and monitor for privilege escalation activity.
The same CVE-2026-48172 identifier is now confirmed to affect WordPress, not just the LiteSpeed cPanel Plugin, as CISA added it to the KEV catalog on May 26, 2026, citing active exploitation. This contradicts earlier reports that limited the flaw to LiteSpeed's cPanel plugin, indicating the vulnerability may be broader or that CISA's entry encompasses multiple products. WordPress administrators should treat this as a high-priority event and apply patches immediately, while federal agencies must remediate under BOD 22-01 timelines.