SB20260511111 - Multiple vulnerabilities in cPanel & WHM
Published: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-29201)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the LOADFEATUREFILE adminbin call when handling crafted requests. A remote user can send a specially crafted request to disclose sensitive information.
2) Code Injection (CVE-ID: CVE-2026-29202)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to code injection in the create_user API call when processing crafted input. A remote user can submit crafted input to execute arbitrary code.
3) Link following (CVE-ID: CVE-2026-29203)
The vulnerability allows a local user to cause a denial of service and possibly escalate privileges.
The vulnerability exists due to unsafe symlink handling in file permission handling when processing symlinks. A local user can chmod an arbitrary file to cause a denial of service and possibly escalate privileges.
Remediation
Install update from vendor's website.
References
- https://docs.cpanel.net/release-notes/release-notes/#cpanel--whm-security-update
- https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026
- https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026
- https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026