Vendor CVEs
CPanel
All CVEs
436 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41940 | Cri | 0.92 | 9.8 | 0.98 | KEV | Apr 29, 2026 | cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. | |
| CVE-2026-47365 | Cri | 0.64 | 9.9 | 0.00 | Jun 12, 2026 | Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account. | ||
| CVE-2006-5014 | Hig | 0.61 | 8.8 | 0.04 | Sep 27, 2006 | Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin. | ||
| CVE-2026-29201 | Hig | 0.56 | 8.6 | 0.00 | May 8, 2026 | Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. | ||
| CVE-2026-32993 | Hig | 0.54 | 8.3 | 0.00 | May 13, 2026 | Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response. | ||
| CVE-2017-5613 | Hig | 0.51 | 7.8 | 0.03 | Mar 3, 2017 | Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file. | ||
| CVE-2026-32991 | Hig | 0.46 | 7.1 | 0.00 | May 13, 2026 | Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account. | ||
| CVE-2026-9516 | Hig | 0.42 | 7.5 | 0.00 | Jun 3, 2026 | Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it… | ||
| CVE-2026-9334 | Hig | 0.40 | 7.3 | 0.00 | Jun 3, 2026 | Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE… | ||
| CVE-2018-16236 | Med | 0.40 | 6.1 | 0.01 | Aug 30, 2018 | cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering. | ||
| CVE-2017-5616 | Med | 0.40 | 6.1 | 0.01 | Mar 3, 2017 | Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter. | ||
| CVE-2017-5615 | Med | 0.40 | 6.1 | 0.01 | Mar 3, 2017 | cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location. | ||
| CVE-2017-5614 | Med | 0.40 | 6.1 | 0.01 | Mar 3, 2017 | Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter. | ||
| CVE-2004-1603 | Med | 0.36 | 5.5 | 0.02 | Oct 18, 2004 | cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled. | ||
| CVE-2017-11441 | Med | 0.35 | 5.4 | 0.01 | Jul 19, 2017 | The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297. | ||
| CVE-2023-29489 | 0.07 | — | 0.66 | Apr 27, 2023 | An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. | |||
| CVE-2004-1769 | 0.05 | — | 0.30 | Mar 11, 2004 | The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass. | |||
| CVE-2008-6843 | 0.04 | — | 0.07 | Jul 2, 2009 | Directory traversal vulnerability in index.php in Fantastico, as used with cPanel 11.x, allows remote attackers to read arbitrary files via a .. (dot dot) in the sup3r parameter. | |||
| CVE-2007-1455 | 0.04 | — | 0.07 | Mar 14, 2007 | Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to… | |||
| CVE-2004-1770 | 0.04 | — | 0.10 | Mar 11, 2004 | The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter. | |||
| CVE-2003-1425 | 0.04 | — | 0.11 | Dec 31, 2003 | guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter. | |||
| CVE-2012-6448 | 0.03 | — | 0.02 | Jan 27, 2020 | Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2009-4823 | 0.03 | — | 0.02 | Apr 27, 2010 | Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter. | |||
| CVE-2008-7142 | 0.03 | — | 0.03 | Sep 1, 2009 | Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter. | |||
| CVE-2008-6927 | 0.03 | — | 0.04 | Aug 10, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5)… | |||
| CVE-2008-6926 | 0.03 | — | 0.04 | Aug 10, 2009 | Directory traversal vulnerability in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the scriptpath_show parameter in a GoAhead action. … | |||
| CVE-2009-2275 | 0.03 | — | 0.04 | Jul 1, 2009 | Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter. | |||
| CVE-2008-2478 | 0.03 | — | 0.04 | May 28, 2008 | scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this,… | |||
| CVE-2008-2070 | 0.03 | — | 0.02 | May 12, 2008 | The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase,… | |||
| CVE-2008-1499 | 0.03 | — | 0.01 | Mar 25, 2008 | Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string. | |||
| CVE-2007-4022 | 0.03 | — | 0.02 | Jul 26, 2007 | Cross-site scripting (XSS) vulnerability in frontend/x/htaccess/changepro.html in cPanel 10.9.1 allows remote attackers to inject arbitrary web script or HTML via the resname parameter. | |||
| CVE-2007-0890 | 0.03 | — | 0.02 | Feb 12, 2007 | Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPanel WebHost Manager (WHM) 11.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the password parameter. | |||
| CVE-2006-6523 | 0.03 | — | 0.02 | Dec 14, 2006 | Cross-site scripting (XSS) vulnerability in mail/manage.html in BoxTrapper in cPanel 11 allows remote attackers to inject arbitrary web script or HTML via the account parameter. | |||
| CVE-2006-6198 | 0.03 | — | 0.02 | Dec 1, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost Manager (WHM) 3.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) email parameter to (a) scripts2/dochangeemail, the (2) supporturl parameter to (b)… | |||
| CVE-2006-5883 | 0.03 | — | 0.02 | Nov 14, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) dir parameter in (a) seldir.html, and the (2) user and (3) dir parameters in (b) newuser.html. | |||
| CVE-2006-5535 | 0.03 | — | 0.02 | Oct 26, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager (WHM) 10.8.0 cPanel 10.9.0 R50 allow remote attackers to inject arbitrary web script or HTML via the (1) theme parameter to scripts/dosetmytheme and the (2) template parameter to scripts2/editzonetemplate. | |||
| CVE-2006-4293 | 0.03 | — | 0.02 | Aug 22, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote attackers to inject arbitrary web script or HTML via the (1) dir parameter in dohtaccess.html, or the (2) file parameter in (a) editit.html or (b) showfile.html. | |||
| CVE-2006-3337 | 0.03 | — | 0.02 | Jul 3, 2006 | Cross-site scripting (XSS) vulnerability in frontend/x/files/select.html in cPanel 10.8.2-CURRENT 118 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter. | |||
| CVE-2005-2021 | 0.03 | — | 0.03 | Jun 20, 2005 | Cross-site scripting (XSS) vulnerability in cPanel 9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the user parameter in the login page. | |||
| CVE-2004-2308 | 0.03 | — | 0.02 | Dec 31, 2004 | Cross-site scripting (XSS) vulnerability in cPanel 9.1.0 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the dir parameter in dohtaccess.html. | |||
| CVE-2004-0490 | 0.03 | — | 0.04 | Aug 18, 2004 | cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to… | |||
| CVE-2004-1875 | 0.03 | — | 0.05 | Mar 30, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to… | |||
| CVE-2003-0521 | 0.03 | — | 0.02 | Aug 18, 2003 | Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors… | |||
| CVE-2020-26098 | 0.01 | — | 0.03 | Sep 25, 2020 | cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485). | |||
| CVE-2025-66429 | 0.00 | — | 0.01 | Dec 11, 2025 | An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user. | |||
| CVE-2021-38584 | 0.00 | — | 0.01 | Aug 11, 2021 | The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). | |||
| CVE-2021-38585 | 0.00 | — | 0.01 | Aug 11, 2021 | The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585). | |||
| CVE-2021-38586 | 0.00 | — | 0.00 | Aug 11, 2021 | In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589). | |||
| CVE-2021-38587 | 0.00 | — | 0.01 | Aug 11, 2021 | In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586). | |||
| CVE-2021-38588 | 0.00 | — | 0.00 | Aug 11, 2021 | In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587). |
- risk 0.92cvss 9.8epss 0.98
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
- risk 0.64cvss 9.9epss 0.00
Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
- risk 0.61cvss 8.8epss 0.04
Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remote authenticated users to gain privileges via unspecified vectors in (1) mysqladmin and (2) hooksadmin.
- risk 0.56cvss 8.6epss 0.00
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
- risk 0.54cvss 8.3epss 0.00
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
- risk 0.51cvss 7.8epss 0.03
Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file.
- risk 0.46cvss 7.1epss 0.00
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
- risk 0.42cvss 7.5epss 0.00
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it…
- risk 0.40cvss 7.3epss 0.00
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE…
- risk 0.40cvss 6.1epss 0.01
cPanel through 74 allows XSS via a crafted filename in the logs subdirectory of a user account, because the filename is mishandled during frontend/THEME/raw/index.html rendering.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter.
- risk 0.40cvss 6.1epss 0.01
cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location.
- risk 0.40cvss 6.1epss 0.01
Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter.
- risk 0.36cvss 5.5epss 0.02
cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled.
- risk 0.35cvss 5.4epss 0.01
The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297.
- CVE-2023-29489Apr 27, 2023risk 0.07cvss —epss 0.66
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
- CVE-2004-1769Mar 11, 2004risk 0.05cvss —epss 0.30
The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.
- CVE-2008-6843Jul 2, 2009risk 0.04cvss —epss 0.07
Directory traversal vulnerability in index.php in Fantastico, as used with cPanel 11.x, allows remote attackers to read arbitrary files via a .. (dot dot) in the sup3r parameter.
- CVE-2007-1455Mar 14, 2007risk 0.04cvss —epss 0.07
Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to…
- CVE-2004-1770Mar 11, 2004risk 0.04cvss —epss 0.10
The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter.
- CVE-2003-1425Dec 31, 2003risk 0.04cvss —epss 0.11
guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.
- CVE-2012-6448Jan 27, 2020risk 0.03cvss —epss 0.02
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2009-4823Apr 27, 2010risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.
- CVE-2008-7142Sep 1, 2009risk 0.03cvss —epss 0.03
Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter.
- CVE-2008-6927Aug 10, 2009risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5)…
- CVE-2008-6926Aug 10, 2009risk 0.03cvss —epss 0.04
Directory traversal vulnerability in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the scriptpath_show parameter in a GoAhead action. …
- CVE-2009-2275Jul 1, 2009risk 0.03cvss —epss 0.04
Directory traversal vulnerability in frontend/x3/stats/lastvisit.html in cPanel allows remote attackers to read arbitrary files via a .. (dot dot) in the domain parameter.
- CVE-2008-2478May 28, 2008risk 0.03cvss —epss 0.04
scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this,…
- CVE-2008-2070May 12, 2008risk 0.03cvss —epss 0.02
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase,…
- CVE-2008-1499Mar 25, 2008risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string.
- CVE-2007-4022Jul 26, 2007risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in frontend/x/htaccess/changepro.html in cPanel 10.9.1 allows remote attackers to inject arbitrary web script or HTML via the resname parameter.
- CVE-2007-0890Feb 12, 2007risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPanel WebHost Manager (WHM) 11.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the password parameter.
- CVE-2006-6523Dec 14, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in mail/manage.html in BoxTrapper in cPanel 11 allows remote attackers to inject arbitrary web script or HTML via the account parameter.
- CVE-2006-6198Dec 1, 2006risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost Manager (WHM) 3.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) email parameter to (a) scripts2/dochangeemail, the (2) supporturl parameter to (b)…
- CVE-2006-5883Nov 14, 2006risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote authenticated users to inject arbitrary web script or HTML via the (1) dir parameter in (a) seldir.html, and the (2) user and (3) dir parameters in (b) newuser.html.
- CVE-2006-5535Oct 26, 2006risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager (WHM) 10.8.0 cPanel 10.9.0 R50 allow remote attackers to inject arbitrary web script or HTML via the (1) theme parameter to scripts/dosetmytheme and the (2) template parameter to scripts2/editzonetemplate.
- CVE-2006-4293Aug 22, 2006risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow remote attackers to inject arbitrary web script or HTML via the (1) dir parameter in dohtaccess.html, or the (2) file parameter in (a) editit.html or (b) showfile.html.
- CVE-2006-3337Jul 3, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in frontend/x/files/select.html in cPanel 10.8.2-CURRENT 118 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter.
- CVE-2005-2021Jun 20, 2005risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in cPanel 9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the user parameter in the login page.
- CVE-2004-2308Dec 31, 2004risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in cPanel 9.1.0 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the dir parameter in dohtaccess.html.
- CVE-2004-0490Aug 18, 2004risk 0.03cvss —epss 0.04
cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to…
- CVE-2004-1875Mar 30, 2004risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to…
- CVE-2003-0521Aug 18, 2003risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors…
- CVE-2020-26098Sep 25, 2020risk 0.01cvss —epss 0.03
cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).
- CVE-2025-66429Dec 11, 2025risk 0.00cvss —epss 0.01
An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user.
- CVE-2021-38584Aug 11, 2021risk 0.00cvss —epss 0.01
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
- CVE-2021-38585Aug 11, 2021risk 0.00cvss —epss 0.01
The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
- CVE-2021-38586Aug 11, 2021risk 0.00cvss —epss 0.00
In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).
- CVE-2021-38587Aug 11, 2021risk 0.00cvss —epss 0.01
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
- CVE-2021-38588Aug 11, 2021risk 0.00cvss —epss 0.00
In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).
Page 1 of 9