LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
A maximum-severity vulnerability in the LiteSpeed User-End cPanel Plugin is being actively exploited, allowing any cPanel user to execute arbitrary scripts with root privileges.
A critical security vulnerability in the LiteSpeed User-End cPanel Plugin, tracked as CVE-2026-48172, is under active exploitation in the wild. The flaw, which carries a CVSS score of 10.0, stems from incorrect privilege assignment within the plugin. This allows any cPanel user — including an attacker who has compromised a low-privilege account — to run arbitrary scripts with full root-level permissions on the underlying server.
The vulnerability affects the LiteSpeed User-End cPanel Plugin, a widely used add-on that integrates LiteSpeed Web Server functionality into cPanel hosting environments. Because the plugin runs with elevated privileges to perform administrative tasks, the incorrect privilege assignment effectively hands root access to any authenticated user. Security researchers warn that this makes the flaw particularly dangerous in shared hosting environments, where a single compromised account can lead to complete server takeover.
LiteSpeed Technologies has confirmed that CVE-2026-48172 is being actively exploited. While the company has not disclosed specific attack campaigns or threat actor attribution, the active exploitation suggests that proof-of-concept code or exploit details are circulating in the threat community. The vulnerability is especially concerning because it requires no special privileges beyond a standard cPanel account, which can be obtained through phishing, credential stuffing, or by exploiting other vulnerabilities.
The impact of this vulnerability is severe. An attacker who successfully exploits CVE-2026-48172 can execute arbitrary commands as root, allowing them to install backdoors, steal sensitive data such as database credentials and SSL certificates, modify server configurations, and pivot to other systems on the same network. In shared hosting environments, a single exploited account could compromise all websites hosted on the server, potentially affecting thousands of customers.
LiteSpeed Technologies has released a patch for CVE-2026-48172. All users of the LiteSpeed User-End cPanel Plugin are strongly advised to update to the latest version immediately. The company has not released specific version numbers or mitigation steps beyond applying the patch. Administrators should also review server logs for signs of unauthorized root-level command execution and consider implementing additional access controls, such as two-factor authentication for cPanel accounts.
This vulnerability highlights the ongoing risks associated with third-party plugins in web hosting control panels. cPanel and its ecosystem of plugins are a frequent target for attackers due to their widespread deployment and the high-value data they manage. The active exploitation of CVE-2026-48172 follows a pattern of recent attacks targeting cPanel and related software, including the exploitation of CVE-2026-41940 in cPanel & WHM by the threat group Mr_Rot13.
Organizations using LiteSpeed with cPanel should treat this as an emergency patching priority. The combination of a CVSS 10.0 score, active exploitation, and the potential for complete server compromise makes CVE-2026-48172 one of the most critical vulnerabilities to affect the web hosting industry this year. Administrators should also monitor CISA's Known Exploited Vulnerabilities catalog for potential inclusion, which would mandate federal agencies to patch within a strict timeline.