Addressing cPanel & WHM Vulnerabilities: CVE-2026-29201 (CVSS 4.3) and Others

Introduction

cPanel and Web Host Manager (WHM) are widely deployed control panels for managing web hosting environments. Recent disclosures confirm cPanel has released fixes for three new vulnerabilities, impacting the security of numerous servers globally. These vulnerabilities, identified as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, pose various risks from information disclosure to potential arbitrary code execution and denial-of-service.

These patches address critical security flaws that, if exploited, could compromise server integrity. Cybersecurity professionals must prioritize these updates to protect managed hosting infrastructure. Understanding the technical specifics helps with effective risk management and implementing appropriate defensive measures.

Organizations using cPanel and WHM must assess their current version status against the newly released security advisories. Prompt application of patches is the primary defense against potential exploitation. This analysis summarizes the vulnerabilities, their potential impact, and the necessary mitigation steps.

What are the technical details of CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203?

cPanel and WHM have addressed three vulnerabilities that affect various aspects of the hosting management system. Each vulnerability carries a specific Common Vulnerability Scoring System (CVSS) rating, indicating its severity and potential impact. These flaws stem from different security weaknesses, including improper input validation and unsafe file handling practices.

The vulnerabilities are detailed as follows:

  • CVE-2026-29201 (CVSS score: 4.3): This vulnerability is an insufficient input validation issue. It exists in the "feature::LOADFEATUREFILE" adminbin call, specifically concerning the feature file name. An attacker could exploit this flaw to perform an arbitrary file read operation, potentially gaining access to sensitive configuration files or other data on the system.
  • CVE-2026-29202 (CVSS score: 8.8): This is a critical vulnerability related to insufficient input validation of the "plugin" parameter within the "create_user API" call. Exploitation could lead to arbitrary Perl code execution. If an attacker uses this, they could execute code with the privileges of an already authenticated account's system user, posing a significant risk for server compromise. Such an exploit would bypass standard security measures, allowing unauthorized operations.
  • CVE-2026-29203 (CVSS score: 8.8): This vulnerability involves unsafe symlink handling. It allows an authenticated user to modify access permissions of an arbitrary file using the chmod command via a crafted symlink. The consequences of this can include denial-of-service (DoS) by rendering critical system files inaccessible or privilege escalation, allowing the attacker to gain higher system control. The ability to manipulate file permissions at an arbitrary level presents a foundational security risk.

These vulnerabilities impact multiple versions of cPanel and WHM, requiring specific updates across various release trains. The diverse nature of these flaws, from file reading to code execution and permission manipulation, shows the importance of full security updates.

What is the current exploitation status and potential impact of these vulnerabilities?

There is no evidence that CVE-2026-29201, CVE-2026-29202, or CVE-2026-29203 have been exploited. This absence of active exploitation does not diminish their potential severity. The CVSS scores of 8.8 for two of the vulnerabilities indicate a high risk if weaponized. Proactive patching remains essential to prevent future compromise.

The disclosure of these vulnerabilities follows closely after another critical cPanel flaw, CVE-2026-41940, was actively exploited as a zero-day. That vulnerability was used by threat actors to deploy Mirai botnet variants and a ransomware strain identified as Sorry. This past incident shows the potential for cPanel vulnerabilities to be rapidly integrated into attack campaigns, impacting global hosting infrastructure. PurpleOps provides continuous insights into such active threats through its real-time ransomware intelligence capabilities, important for understanding evolving risks. Information about the CVE-2026-41940 exploit, including its use by threat actors, has been documented in previous PurpleOps analyses, such as cPanel Vulnerability Threats - May 05, CVE-2026-41940 cPanel Exploit - May 05, and CVE-2026-41940 cPanel & WHM - May 04.

The arbitrary Perl code execution (CVE-2026-29202) represents a significant threat. Successful exploitation could grant an attacker the ability to execute malicious scripts on the server, potentially leading to full system compromise. This capability often precedes data exfiltration, service disruption, or lateral movement within an organization's network. The arbitrary file read (CVE-2026-29201) can lead to information disclosure, revealing sensitive server configurations or credentials. This information can then be used to craft more sophisticated attacks, bypassing existing breach detection mechanisms.

An unsafe symlink handling vulnerability (CVE-2026-29203) can be used for denial-of-service attacks, making cPanel-managed websites or services unavailable. It also presents a path for privilege escalation, allowing attackers to gain elevated permissions on the system. Such capabilities are often sought after by threat actors monitoring underground forum intelligence or dark web monitoring service for new exploits. Organizations should also consider the implications for supply-chain risk monitoring, as cPanel is a key component for many web hosting providers. A cyber threat intelligence platform helps detect and analyze such threats, potentially before they become widely exploited.

What mitigation steps and patches are available for these cPanel and WHM vulnerabilities?

cPanel has released updates to address all three vulnerabilities. Applying these patches is the most effective way to mitigate the risks posed by CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. System administrators should update their cPanel and WHM installations to the specified patched versions immediately.

The shortcomings have been patched in the following versions:

  • cPanel and WHM:
  • 11.136.0.9 and higher
  • 11.134.0.25 and higher
  • 11.132.0.31 and higher
  • 11.130.0.22 and higher
  • 11.126.0.58 and higher
  • 11.124.0.37 and higher
  • 11.118.0.66 and higher
  • 11.110.0.116 and higher
  • 11.110.0.117 and higher
  • 11.102.0.41 and higher
  • 11.94.0.30 and higher
  • 11.86.0.43 and higher
  • WP Squared:
  • 11.136.1.10 and higher

cPanel has released 110.0.114 as a direct update for customers who continue to operate on CentOS 6 or CloudLinux 6. Users on these legacy systems are encouraged to apply this specific update. Updating to the latest stable version available for a given release tier ensures best protection against these and other known vulnerabilities. Regular updates are a basic aspect of maintaining security hygiene and reducing attack surface.

Technical Takeaways

  • Three vulnerabilities, CVE-2026-29201 (CVSS 4.3), CVE-2026-29202 (CVSS 8.8), and CVE-2026-29203 (CVSS 8.8), affect cPanel and WHM installations.
  • CVE-2026-29201 permits arbitrary file reads due to insufficient input validation in feature::LOADFEATUREFILE.
  • CVE-2026-29202 allows arbitrary Perl code execution via the create_user API call due to inadequate validation of the "plugin" parameter.
  • CVE-2026-29203 enables arbitrary file permission modification via unsafe symlink handling, potentially leading to denial-of-service or privilege escalation.
  • Patches are available across multiple cPanel and WHM version lines, including a specific update for CentOS 6/CloudLinux 6 users.
  • While no active exploitation is confirmed for these specific CVEs, historical context with CVE-2026-41940 demonstrates the potential for rapid weaponization of cPanel vulnerabilities.