VYPR
Vendor

CPanel

cPanel is a web hosting control panel software developed by cPanel, L.L.C. It provides a graphical interface (GUI) and automation tools designed to simplify the process of hosting a web site for the website owner or "end user". It enables administration through a standard web browser using a three-tier structure. While cPanel is limited to managing a single hosting account, cPanel & WHM allow the administration of the entire server.

Products
22
CVEs
436
Across products
458
Status
Private

Products

22

Recent CVEs

436
View all 436 CVEs →
  • CVE-2026-41940CriKEVApr 29, 2026
    risk 0.92cvss 9.8epss 0.98

    cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

  • CVE-2026-47365CriJun 12, 2026
    risk 0.64cvss 9.9epss 0.00

    Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

  • CVE-2006-5014HigSep 27, 2006
    risk 0.61cvss 8.8epss 0.04

    Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin.

  • CVE-2026-29201HigMay 8, 2026
    risk 0.56cvss 8.6epss 0.00

    Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

  • CVE-2026-32993HigMay 13, 2026
    risk 0.54cvss 8.3epss 0.00

    Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

  • CVE-2017-5613HigMar 3, 2017
    risk 0.51cvss 7.8epss 0.03

    Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file.

  • CVE-2026-32991HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

  • CVE-2026-9516HigJun 3, 2026
    risk 0.42cvss 7.5epss 0.00

    Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it…

  • CVE-2026-9334HigJun 3, 2026
    risk 0.40cvss 7.3epss 0.00

    Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE…

  • CVE-2018-16236MedAug 30, 2018
    risk 0.40cvss 6.1epss 0.01

    cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.

  • CVE-2017-5616MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter.

  • CVE-2017-5615MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location.

  • CVE-2017-5614MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter.

  • CVE-2004-1603MedOct 18, 2004
    risk 0.36cvss 5.5epss 0.02

    cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled.

  • CVE-2017-11441MedJul 19, 2017
    risk 0.35cvss 5.4epss 0.01

    The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297.

  • CVE-2023-29489Apr 27, 2023
    risk 0.07cvss epss 0.66

    An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

  • CVE-2004-1769Mar 11, 2004
    risk 0.05cvss epss 0.30

    The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.

  • CVE-2008-6843Jul 2, 2009
    risk 0.04cvss epss 0.07

    Directory traversal vulnerability in index.php in Fantastico, as used with cPanel 11.x, allows remote attackers to read arbitrary files via a .. (dot dot) in the sup3r parameter.

  • CVE-2007-1455Mar 14, 2007
    risk 0.04cvss epss 0.07

    Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to…

  • CVE-2004-1770Mar 11, 2004
    risk 0.04cvss epss 0.10

    The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter.