cPanel has released security updates for cPanel and Web Host Manager (WHM), addressing three vulnerabilities: arbitrary file read, arbitrary Perl code execution, and unsafe handling of symbolic links. Two of the three issues have a CVSS score of 8.8, which corresponds to a high severity level. The vulnerabilities affect a wide range of supported product branches, as well as the WP Squared platform. According to available data, there was no evidence of active exploitation in the wild at the time of publication; however, hosting panel administrators are advised to apply the patches without delay.

Technical details of the vulnerabilities

All three vulnerabilities are related to insufficient validation of input data or unsafe handling of file operations on the server side.

• CVE-2026-29201 (CVSS: 4.3) — insufficient validation of the filename in the functionality of the feature::LOADFEATUREFILE adminbin call. According to reports, the vulnerability allows arbitrary files on the server to be read. Despite the relatively low CVSS score, unauthorized access to the file system can be used for reconnaissance prior to a more serious attack.
• CVE-2026-29202 (CVSS: 8.8) — insufficient validation of the plugin parameter in the create_user API call. According to the vendor, the vulnerability allows arbitrary Perl code to be executed as the system user of an already authenticated account. This means that an attacker with legitimate access to the panel can exceed their authorized privileges and execute commands at the operating system level.
• CVE-2026-29203 (CVSS: 8.8) — unsafe handling of symbolic links, allowing a user to change permissions on an arbitrary file via chmod. This can result in denial of service or privilege escalation. Attacks via symbolic links are particularly dangerous in multi-tenant hosting environments, where isolation between accounts is a critical security requirement.

It is important to distinguish the level of severity: CVE-2026-29201 represents a moderate risk, whereas CVE-2026-29202 and CVE-2026-29203, both scored at 8.8, require priority attention. None of the three vulnerabilities is included in the CISA KEV catalog, and no confirmed cases of exploitation have been reported based on currently available information.

Affected versions and fixes

Patches are being distributed for several supported cPanel and WHM branches. The following versions and later are considered fixed:

• 11.136.0.9
• 11.134.0.25
• 11.132.0.31
• 11.130.0.22
• 11.126.0.58
• 11.124.0.37
• 11.118.0.66
• 11.110.0.116 / 11.110.0.117
• 11.102.0.41
• 11.94.0.30
• 11.86.0.43

For the WP Squared platform, the fix is included in version 11.136.1.10 and later.

Impact assessment

cPanel and WHM are used by thousands of hosting providers and managed services worldwide. The multi-tenant nature of these platforms makes vulnerabilities such as “privilege escalation” and “code execution” particularly dangerous: compromise of a single account can lead to lateral movement between customer environments on the same server.

CVE-2026-29202 requires authenticated access, which reduces the attack surface for external attackers but does not eliminate the risk: in real-world scenarios, attackers often obtain credentials via phishing, leaks, or password guessing, and then use such vulnerabilities for escalation. CVE-2026-29203, through manipulation of symbolic links and chmod, can potentially disrupt the operation of the entire server, which is critical for providers that offer availability guarantees.

Practical recommendations

1. Update cPanel and WHM to the current version for your branch (see the list above). You can check automatic updates in cPanel via WHM → Update Preferences.
2. Update WP Squared to version 11.136.1.10 or later if you use this platform.
3. Check the version manually with the command cat /usr/local/cpanel/version on the server — make sure the installed version is not lower than the fixed version for your branch.
4. Restrict access to WHM by IP address via the firewall to reduce the attack surface, especially during the period before applying the patch.
5. Audit active sessions and API keys — CVE-2026-29202 is exploited on behalf of an authenticated user, so compromised credentials constitute a direct attack vector.

Administrators using any of the listed cPanel and WHM branches should apply the updates as a priority — especially given the CVSS 8.8 score for CVE-2026-29202 and CVE-2026-29203. Postponing patching in a multi-tenant hosting environment creates a real risk of compromising customer data and breaking account isolation, even in the absence of confirmed attacks at the present time.