cPanel and WHM Release Fixes for Three New Vulnerabilities, Including CVE-2026-29202 (CVSS 8.8)

Introduction

cPanel, a widely used web hosting automation platform, and its companion Web Host Manager (WHM) have recently issued updates addressing three distinct vulnerabilities. These security flaws, identified as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, present risks ranging from arbitrary file reads to privilege escalation and remote code execution. The patches show the ongoing need for continuous security assessments in web infrastructure.

The disclosure of these vulnerabilities shows the need for immediate patching, especially since another critical cPanel flaw, CVE-2026-41940, was recently exploited. That previous vulnerability was used by threat actors to deploy Mirai botnet variants and the Sorry ransomware. Understanding these newly identified weaknesses is important for maintaining the integrity and availability of hosted services, and organizations should refer to specific analyses of critical cPanel vulnerabilities for context.

These updates affect various versions of cPanel and WHM, requiring administrators to update their installations promptly. Ignoring such patches exposes systems to serious threats, potentially leading to unauthorized access, data compromise, or service disruption. PurpleOps provides a cyber threat intelligence platform designed to track and analyze these types of vulnerabilities, helping organizations prioritize their defensive actions.

What are the technical details of these cPanel and WHM vulnerabilities?

cPanel and WHM have released updates to address three security vulnerabilities that could lead to significant system compromises. These include an input validation flaw allowing arbitrary file reads, a vulnerability enabling arbitrary Perl code execution, and an unsafe symlink handling issue that could result in denial-of-service or privilege escalation.

CVE-2026-29201 (CVSS score: 4.3)

  • Type: Insufficient Input Validation
  • Description: This vulnerability resides in the "feature::LOADFEATUREFILE" adminbin call. Insufficient validation of the feature file name input allows an attacker to specify arbitrary file paths.
  • Impact: Exploitation of CVE-2026-29201 could result in an arbitrary file read. An authenticated attacker could read sensitive system files or configuration files not intended for public access, potentially exposing important system information, user data, or credentials. While this vulnerability has a lower CVSS score, the information gathered from arbitrary file reads can be used to escalate privileges or plan further attacks.
  • Attack Vector: Requires authenticated access to the adminbin call.

CVE-2026-29202 (CVSS score: 8.8)

  • Type: Insufficient Input Validation leading to Arbitrary Code Execution
  • Description: This vulnerability involves insufficient input validation of the "plugin" parameter within the "create_user API" call.
  • Impact: Exploitation of CVE-2026-29202 could lead to arbitrary Perl code execution. An attacker, already authenticated to an account, could execute malicious Perl code on the system under the context of that authenticated account's system user. This level of access can enable various malicious activities, including data manipulation, backdoor installation, further privilege escalation, or other malicious actions within the affected system. This vulnerability carries a high CVSS score due to the direct impact of code execution.
  • Attack Vector: Requires authenticated access and using the "create_user API" call.

CVE-2026-29203 (CVSS score: 8.8)

  • Type: Unsafe Symlink Handling
  • Description: This vulnerability involves unsafe symlink handling, allowing a user to modify access permissions of an arbitrary file using the chmod command.
  • Impact: Exploitation of CVE-2026-29203 can result in denial-of-service (DoS) or possible privilege escalation. An attacker could manipulate file permissions to render important system files inaccessible, causing service disruptions. Or, by altering permissions on specific files, an attacker might create pathways to raise their privileges within the system. Like CVE-2026-29202, this vulnerability also has a high CVSS score due to its potential for system compromise and disruption.
  • Attack Vector: Requires local user access to modify symlinks and use chmod.

How can these cPanel vulnerabilities be exploited and what is their practical impact?

While there is no current public evidence that CVE-2026-29201, CVE-2026-29202, or CVE-2026-29203 are being actively exploited in the wild, the potential for exploitation remains considerable. The nature of these flaws allows for various attack scenarios, impacting data confidentiality, integrity, and system availability. The high CVSS scores for two of these vulnerabilities show their criticality.

Exploiting CVE-2026-29201 for arbitrary file reads could be a precursor to a more complex attack chain. An attacker might initially use this to gather configuration files, system logs, or password hashes. This information could then be used to craft more targeted exploits or to gain higher privileges. For example, reading wp-config.php files on a WordPress installation hosted via cPanel could expose database credentials. A strong breach detection system would be important in identifying such reconnaissance attempts early.

CVE-2026-29202, permitting arbitrary Perl code execution, poses a serious threat. An authenticated attacker could execute commands on the server, potentially installing backdoors, creating new privileged accounts, deploying malicious payloads, or performing other harmful actions. This could lead to a full system compromise, allowing threat actors to steal sensitive customer data, host phishing pages, or integrate the server into a botnet. The implications for customers relying on hosting providers using cPanel are substantial, requiring constant supply-chain risk monitoring. In a broader cyber threat intelligence briefing, such vulnerabilities are categorized as critical due to their potential for direct impact on system security.

CVE-2026-29203, related to unsafe symlink handling, enables denial-of-service or privilege escalation. An attacker could use this to make important system files unwritable or unreadable, effectively shutting down services or even the entire server. Or, by strategically altering permissions, an attacker could gain root access or other higher privileges, leading to complete control over the compromised system. The risk of real-time ransomware intelligence becoming actionable increases considerably when vulnerabilities like these are exploited to gain initial access, as seen with the recent CVE-2026-41940 cPanel exploit that allowed ransomware deployment.

Even without known active exploitation, the risk remains. Threat actors often scan for unpatched systems shortly after vulnerabilities are disclosed. Information shared in underground forum intelligence or observed via telegram threat monitoring channels can sometimes indicate early stages of exploitation development or sales of proof-of-concept exploits. The potential for these vulnerabilities to be weaponized for brand leak scenarios, where customer data or intellectual property is exfiltrated, remains a serious concern.

What are the immediate mitigation and patching steps for these cPanel and WHM vulnerabilities?

To address CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, cPanel has released specific updates across multiple versions of cPanel and Web Host Manager (WHM). System administrators must prioritize these updates to protect their infrastructure from potential exploitation. Delaying these patches considerably increases the risk profile of affected systems.

The following versions include the necessary fixes:

  • cPanel and WHM:
  • 11.136.0.9 and higher
  • 11.134.0.25 and higher
  • 11.132.0.31 and higher
  • 11.130.0.22 and higher
  • 11.126.0.58 and higher
  • 11.124.0.37 and higher
  • 11.118.0.66 and higher
  • 11.110.0.116 and higher
  • 11.110.0.117 and higher
  • 11.102.0.41 and higher
  • 11.94.0.30 and higher
  • 11.86.0.43 and higher
  • WP Squared:
  • 11.136.1.10 and higher

For customers still running cPanel on legacy operating systems such as CentOS 6 or CloudLinux 6, cPanel has released version 110.0.114 as a direct update. All users must update their installations to the latest available patched versions to ensure good protection against these and other recently discovered vulnerabilities.

Beyond applying patches, organizations should maintain proactive security practices. This includes:

  • Regular Security Audits: Conduct frequent scans and penetration tests to identify other potential weaknesses.
  • Least Privilege Principle: Ensure all users and services operate with the minimum necessary permissions. This can help limit the impact of successful exploitation.
  • Monitoring and Alerting: Implement full logging and monitoring solutions to detect unusual activity that might indicate an attempted or successful exploit. PurpleOps offers a live ransomware API and other intelligence feeds that can augment internal monitoring capabilities.
  • Network Segmentation: Isolate cPanel/WHM instances from other critical infrastructure components to contain potential breaches.
  • Backup and Recovery: Maintain up-to-date backups and have a disaster recovery plan in place to minimize downtime and data loss in the event of a successful attack.

These immediate steps, along with a cyber threat intelligence platform, help address current vulnerabilities and prepare for future security issues.

Technical Takeaways

  • cPanel and WHM have patched three vulnerabilities: CVE-2026-29201 (arbitrary file read), CVE-2026-29202 (arbitrary Perl code execution), and CVE-2026-29203 (unsafe symlink handling).
  • CVE-2026-29202 and CVE-2026-29203 are rated with a high CVSS score of 8.8, showing critical impact potential.
  • Patches are available across numerous cPanel/WHM versions, including specific updates for CentOS 6 or CloudLinux 6 users.
  • Exploitation of these flaws could lead to data exposure, complete system compromise, denial-of-service, or privilege escalation.
  • Timely application of these updates is important, especially since the related CVE-2026-41940 was actively exploited.