cPanel Patches Multiple Vulnerabilities Affecting WHM and WP Squared Servers

cPanel has patched multiple vulnerabilities across cPanel & WHM and WP Squared after a busy security update cycle that affected hosting environments, reseller systems, and servers running shared control panel infrastructure.

The latest fixes address several security issues, including arbitrary file reads, Perl code execution, unsafe symlink handling, SQL injection, privilege escalation, weak DNS cluster SSL enforcement, and an unauthenticated cpsrvd header-insertion flaw.

Administrators should update affected servers immediately, especially because cPanel also recently patched a separate critical authentication issue, CVE-2026-41940, that has already seen active exploitation.

cPanel’s May patches cover several vulnerability groups

The May 8 update fixed three vulnerabilities tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. These issues affect different parts of cPanel & WHM and WP Squared.

CVE-2026-29201 involves insufficient validation in the feature::LOADFEATUREFILE adminbin call. cPanel said a relative path could cause an arbitrary file to become world-readable.

CVE-2026-29202 affects the create_user API call. The issue involves the plugin parameter and can allow arbitrary Perl code execution on behalf of the affected account’s system user.

CVE	Main issue	Potential impact
CVE-2026-29201	Improper feature file-name validation	Arbitrary file read or exposure of sensitive files
CVE-2026-29202	Perl code injection in create_user API	Code execution as the affected account’s system user
CVE-2026-29203	Unsafe symlink handling in cPanel Nova	Denial of service or possible local privilege escalation

The May 8 flaws matter for shared hosting

The biggest concern is not only individual impact, but the environment where cPanel usually runs. Shared hosting servers often have many accounts on the same system, which makes isolation especially important.

CVE-2026-29203 shows that risk clearly. The flaw allows a user-controlled symlink under a legacy Nova path to influence chmod behavior, potentially changing permissions on arbitrary system files or directories.

That can create denial-of-service conditions and may support local privilege escalation in the right environment. Hosting providers should treat these bugs as high-priority even when exploitation requires some access to the system.

cPanel also patched five more flaws on May 13

A second May patch wave covered five additional vulnerabilities: CVE-2026-29205, CVE-2026-29206, CVE-2026-32991, CVE-2026-32992, and CVE-2026-32993.

The most notable of these is CVE-2026-29205. cPanel said a combination of incorrect privilege dropping and insufficient path filtering made it possible to read arbitrary files through certain cpdavd endpoints. This affects cPanel & WHM versions 120 and higher.

cPanel later released an additional fix for CVE-2026-29205 and recommended that administrators update again and confirm that their systems are on the newer patched builds.

CVE	Affected area	Issue
CVE-2026-29205	cpdavd endpoints	Arbitrary file read through incorrect privilege dropping and insufficient path filtering
CVE-2026-29206	sqloptimizer script	SQL query injection risk
CVE-2026-32991	Team users and UAPI modules	Low-privilege team user escalation to owner account capabilities
CVE-2026-32992	DNS Cluster system	SSL verification weakness that could expose credentials to interception
CVE-2026-32993	cpsrvd endpoint	Unauthenticated arbitrary HTTP header insertion

CVE-2026-41940 remains the critical exploited issue

The critical 9.8 vulnerability tied to cPanel’s recent security activity is CVE-2026-41940. It is separate from the May 8 and May 13 patch sets.

cPanel described CVE-2026-41940 as an authentication vulnerability in the session management layer. A specially crafted request could cause an unauthenticated session to be treated as authenticated.

CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on May 1, 2026. cPanel said the flaw affects every cPanel & WHM version after v11.40 and WP Squared up to v11.136.1.6.

Why hosting providers should move quickly

cPanel servers often manage websites, email, DNS, databases, files, accounts, and reseller functions from one control plane. A flaw in that control plane can affect many customers on the same server.

File-read bugs can expose configuration files, account data, credentials, tokens, or private operational details. Code execution and privilege escalation flaws can increase the damage if attackers already have user-level access.

The risk grows when servers run outdated release tiers, lack automatic updates, or host untrusted users. Shared hosting providers should check patch status across every server, not only internet-facing control panel nodes.

• Update cPanel & WHM to the fixed build for the active release tier.
• Update WP Squared if it runs on the server.
• Run the update manually if automatic updates are disabled.
• Verify the installed version after updating.
• Review logs for suspicious API calls, file reads, and account changes.
• Restrict access to cPanel, WHM, Webmail, WebDAV, and related service ports where possible.
• Apply cPanel’s mitigation guidance for systems that cannot update immediately.

Patched versions administrators should check

For the May 8 vulnerabilities, cPanel listed patched builds across supported branches, including 11.136.0.9 and higher, 11.134.0.25 and higher, 11.132.0.31 and higher, and several older supported tiers.

For the May 13 CVE-2026-29205 update, cPanel later recommended newer patched builds, including 11.124.0.40 and higher, 11.126.0.61 and higher, 11.130.0.25 and higher, 11.132.0.34 and higher, 11.134.0.28 and higher, and 11.136.0.12 and higher.

Administrators should not rely only on version assumptions. They should verify the installed build after patching because cPanel released follow-up fixes for at least one issue.

1. Log in to the server through SSH as root.
2. Run /scripts/upcp –force to apply the latest update.
3. Run /usr/local/cpanel/cpanel -V to confirm the installed build.
4. Compare the result with cPanel’s fixed version list for the active release tier.
5. Repeat this check across all servers, including reseller and staging systems.

Related Linux and mail-server risks add pressure

The recent cPanel updates arrived during a wider wave of Linux hosting security concerns. cPanel also published guidance for Dirty Frag, a Linux kernel local privilege escalation issue affecting multiple Linux distributions.

Dirty Frag is not a cPanel vulnerability, but it matters because cPanel servers run on Linux and often host many local users. Kernel privilege escalation bugs can turn lower-level access into root access if the underlying operating system remains unpatched.

cPanel has also addressed Exim updates tied to CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687. Mail services are a major part of hosting environments, so administrators should confirm that both cPanel and bundled service packages are current.

What admins should monitor after patching

Patching closes the known flaws, but administrators should still check for suspicious activity. That matters more for systems that were exposed before updates became available or that delayed patch deployment.

Teams should review cPanel API activity, account creation events, feature file access, WebDAV logs, DNS cluster changes, team-user privilege changes, and unexplained permission changes under user-controlled directories.

For CVE-2026-41940 exposure, administrators should follow cPanel’s detection guidance and review session-file indicators. If compromise appears likely, they should rotate credentials, review account-level access, and inspect web roots for malware or unauthorized files.

Area to inspect	Reason
cPanel API logs	May reveal suspicious create_user activity or unexpected automation.
cpdavd logs	May reveal attempts to access files through WebDAV-related endpoints.
Team-user settings	May show privilege changes linked to owner account escalation risks.
DNS cluster settings	May reveal changes affecting trust or credential exposure.
File permissions	May show chmod-related changes that should not exist.
Session files	May help investigate CVE-2026-41940 exploitation indicators.

Shared hosting security depends on fast updates

The recent cPanel patch cycle shows why hosting providers need a strict update process. A single vulnerable control panel can expose many accounts, domains, mailboxes, databases, and customer workloads.

Servers that support untrusted users need extra attention because several flaws affect account boundaries, file access, or local privilege paths. Even bugs that look limited can become serious when combined with other hosting-layer weaknesses.

The safest path is to update cPanel & WHM, WP Squared, Exim, Apache, and the underlying Linux kernel as soon as tested patches become available. Administrators should also limit management access to trusted networks and audit server activity after every emergency security release.

FAQ