cPanel Issues Critical Patches for Three New Vulnerabilities in WHM and cPanel
cPanel has released urgent security patches for three vulnerabilities in its cPanel and WHM software that could allow attackers to execute arbitrary code, escalate privileges, or perform unauthorized file reads.

cPanel has released security updates to address three distinct vulnerabilities affecting its cPanel and Web Host Manager (WHM) platforms. These flaws, which range in severity from moderate to high, could potentially be leveraged by attackers to perform arbitrary file reads, execute malicious code, or escalate privileges on affected hosting environments The Hacker News.
The most severe issues, CVE-2026-29202 and CVE-2026-29203, both carry a CVSS score of 8.8. CVE-2026-29202 stems from insufficient input validation within the "plugin" parameter of the "create_user API" call, which can be exploited to execute arbitrary Perl code under the context of an authenticated system user. Meanwhile, CVE-2026-29203 involves unsafe symlink handling, allowing an attacker to manipulate file permissions via chmod. This can lead to a denial-of-service condition or facilitate privilege escalation The Hacker News.
A third vulnerability, CVE-2026-29201, is rated with a CVSS score of 4.3. It is caused by improper input validation of feature file names during the "feature::LOADFEATUREFILE" adminbin call. Successful exploitation of this flaw allows an attacker to perform an arbitrary file read, potentially exposing sensitive system information The Hacker News.
cPanel has issued patches across a wide range of product versions to mitigate these risks. Affected users are urged to update to version 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116, 11.110.0.117, 11.102.0.41, 11.94.0.30, or 11.86.0.43. Additionally, WP Squared users should update to version 11.136.1.10 or higher. For customers operating on legacy CentOS 6 or CloudLinux 6 systems, cPanel has provided version 110.0.114 as a specific remediation path The Hacker News.
While there is currently no evidence that these specific vulnerabilities have been exploited in the wild, the urgency of these updates is underscored by recent activity targeting the platform. Just days prior to this disclosure, a separate critical vulnerability, CVE-2026-41940, was actively weaponized as a zero-day to distribute Mirai botnet variants and the "Sorry" ransomware strain The Hacker News.
The rapid succession of these disclosures highlights the ongoing focus threat actors place on web hosting infrastructure. As these platforms often manage large volumes of sensitive data and administrative access, they remain high-value targets for automated exploitation and ransomware campaigns. Administrators should prioritize patching cycles to ensure their environments are protected against both known and emerging threats.