cPanel Patches WHM Flaws That Can Enable File Access, Code Injection, and DoS Attacks

cPanel has released security updates for three vulnerabilities affecting cPanel & WHM and WP Squared. The flaws can allow arbitrary file reads, Perl code injection, denial-of-service attacks, and possible privilege escalation on affected hosting servers.

The issues are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. cPanel published the security updates on May 8, 2026, and later updated its advisory pages with patched version details.

Hosting providers and server administrators should patch quickly because cPanel and WHM often manage multiple websites, databases, email accounts, and user environments from a single control panel. A weakness in this layer can create risk for many hosted accounts at once.

What cPanel fixed

The first flaw, CVE-2026-29201, affects the feature::LOADFEATUREFILE adminbin call. cPanel says the call did not properly validate the feature file name, allowing a relative path to make an arbitrary file world-readable.

The second flaw, CVE-2026-29202, affects the create_user API call and relates to the plugin parameter. cPanel describes it as a Perl code injection issue, which can allow privilege escalation.

The third flaw, CVE-2026-29203, involves unsafe symlink handling. It can allow a user to chmod an arbitrary file, which can lead to denial of service and possible privilege escalation.

At a glance

CVE	Issue	Main impact	Affected products
CVE-2026-29201	Improper validation in feature::LOADFEATUREFILE	Arbitrary file read	cPanel & WHM, WP Squared
CVE-2026-29202	Perl code injection in create_user API	Privilege escalation	cPanel & WHM, WP Squared
CVE-2026-29203	Unsafe symlink handling	Denial of service and possible privilege escalation	cPanel & WHM, WP Squared

CVE-2026-29201 can expose files

CVE-2026-29201 comes from insufficient input validation in the feature::LOADFEATUREFILE adminbin call. The issue can let an authenticated user pass a relative path as an argument.

When exploited, the flaw can make an arbitrary file world-readable. This can expose configuration files, application data, credentials, private paths, or other files accessible through the affected process.

File read bugs can become more dangerous in shared hosting environments. Attackers may use exposed files to learn server layout, identify credentials, or prepare follow-up attacks.

CVE-2026-29202 involves Perl code injection

CVE-2026-29202 affects the create_user API call. The issue relates to the plugin parameter and allows Perl code injection under certain conditions.

cPanel’s May 8 update describes this flaw as a privilege escalation issue. NVD’s CVE entry says insufficient input validation of the plugin parameter can allow arbitrary Perl code execution on behalf of the already authenticated account’s system user.

This makes CVE-2026-29202 one of the most important flaws in the batch. Code injection inside hosting control panel workflows can give attackers a path to deeper compromise if they already have valid access.

CVE-2026-29203 can cause DoS and privilege escalation

CVE-2026-29203 is tied to unsafe symlink handling. cPanel says the flaw allows a user to chmod an arbitrary file.

NVD describes the issue more specifically as a chmod call in the cPanel Nova plugin’s Cpanel::Nova::Connector that follows symlinks. This can allow permission changes on arbitrary system files or directories.

The result can include denial of service and possible local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under the home directory.

Affected and patched versions

Product branch	Patched version
cPanel & WHM 11.136	11.136.0.9 and higher
cPanel & WHM 11.134	11.134.0.25 and higher
cPanel & WHM 11.132	11.132.0.31 and higher
cPanel & WHM 11.130	11.130.0.22 and higher
cPanel & WHM 11.126	11.126.0.58 and higher
cPanel & WHM 11.124	11.124.0.37 and higher
cPanel & WHM 11.118	11.118.0.66 and higher
cPanel & WHM 11.110	11.110.0.117 and higher
cPanel & WHM 11.102	11.102.0.41 and higher
cPanel & WHM 11.94	11.94.0.30 and higher
cPanel & WHM 11.86	11.86.0.43 and higher
WP Squared	11.136.1.11 and higher

Older CentOS and CloudLinux systems need extra attention

cPanel also released version 11.110.0.116 as a direct update for customers still running CentOS 6 or CloudLinux 6. Administrators on those legacy platforms need to set the upgrade tier before applying the update.

These older environments often carry extra operational risk because they may depend on legacy packages, custom hosting templates, and older automation. That can slow patching if providers do not already have a tested maintenance path.

Even so, delaying this update increases exposure. Shared hosting servers can contain many tenants, so a flaw that starts with one authenticated user can create wider server-level consequences.

How administrators can update cPanel

Administrators can force the cPanel update with the standard update script. They should run the command as root or through an approved administrative workflow.

/scripts/upcp --force

After the update finishes, administrators should verify the installed cPanel version with the following command.

/usr/local/cpanel/cpanel -V

The returned version should match one of the patched versions for the relevant branch. Administrators should also confirm that WP Squared systems and related plugins received their security updates.

What hosting providers should check after patching

• Confirm every cPanel & WHM server runs a patched version.
• Check WP Squared installations separately.
• Review logs for unusual create_user API activity.
• Review file permission changes that may point to symlink abuse.
• Look for unexpected world-readable files created before patching.
• Check accounts that recently gained new privileges.
• Audit suspicious plugin parameters in API calls.
• Restrict control panel access to trusted networks where possible.

Why the timing matters

The May 8 patch arrives shortly after another major cPanel issue, CVE-2026-41940, triggered industry-wide concern. That earlier authentication bypass flaw affected cPanel & WHM and WP Squared, and researchers reported active exploitation after public disclosure.

Rapid7 said a managed cPanel host reported active exploitation of CVE-2026-41940, while watchTowr published technical analysis and proof-of-concept details. Shadowserver also reported ongoing cPanel and WHM attack activity tied to the earlier flaw.

The new May 8 vulnerabilities are different issues, but they affect the same kind of high-value hosting infrastructure. Administrators should treat cPanel patching as an urgent operational task, not a routine maintenance item.

Summary

1. cPanel patched three May 8 vulnerabilities affecting cPanel & WHM and WP Squared.
2. CVE-2026-29201 can allow arbitrary file reads through feature::LOADFEATUREFILE.
3. CVE-2026-29202 can allow Perl code injection through the create_user API plugin parameter.
4. CVE-2026-29203 can allow chmod on arbitrary files, leading to DoS and possible privilege escalation.
5. Administrators should update immediately and verify the installed version after patching.

FAQ