cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
cPanel and WHM have released critical security updates addressing three vulnerabilities that could enable privilege escalation, arbitrary code execution, and denial-of-service attacks. System administrators are urged to patch immediately.
The Vulnerabilities
Three distinct vulnerabilities have been identified and patched in the latest cPanel and WHM releases:
CVE-2026-29201 (CVSS: 4.3) An insufficient input validation vulnerability in the feature file name parameter within the "feature::LOADFEATUREFILE" adminbin call. This flaw could allow attackers to perform arbitrary file reads, potentially exposing sensitive configuration data and credentials.
CVE-2026-29202 (CVSS: 8.8 - HIGH) A critical insufficient input validation flaw in the "plugin" parameter of the "create_user API" call. This vulnerability enables arbitrary Perl code execution on behalf of an already authenticated account's system user, representing a severe privilege escalation risk.
CVE-2026-29203 (CVSS: 8.8 - HIGH) An unsafe symlink handling vulnerability that allows users to modify access permissions of arbitrary files using chmod. This can result in denial-of-service conditions or potential privilege escalation through permission manipulation.
Patched Versions
cPanel and WHM users should update to the following versions or higher:
- 11.136.0.9+ - 11.134.0.25+ - 11.132.0.31+ - 11.130.0.22+ - 11.126.0.58+ - 11.124.0.37+ - 11.118.0.66+ - 11.110.0.116+ / 11.110.0.117+ - 11.102.0.41+ - 11.94.0.30+ - 11.86.0.43+
WP Squared users should update to version 11.136.1.10 or higher.
For customers still on CentOS 6 or CloudLinux 6, cPanel has released version 11.102.0.114 as a direct update path.
Why This Matters
While no active exploitation has been confirmed for these three vulnerabilities, the timing is concerning. This disclosure comes just days after another critical cPanel flaw (CVE-2026-41940) was weaponized as a zero-day to deliver Mirai botnet variants and the "Sorry" ransomware strain.
The presence of two HIGH severity vulnerabilities (CVSS 8.8) in the API and symlink handling components means that authenticated attackers could potentially gain significant control over affected systems. For web hosting providers and enterprises running cPanel/WHM, immediate patching is essential to prevent potential compromise.
Action Required
System administrators should:
- Verify current cPanel/WHM version via WHM interface or command line - Schedule immediate updates to patched versions - Review user account permissions and API access logs - Monitor for unusual file permission changes or symlink activity - Ensure backup systems are current before applying updates
cPanel updates can typically be applied via WHM's "Upgrade to Latest Version" feature or through command-line tools. Production environments should follow standard change management procedures with appropriate testing windows.
