cPanel and WHM Release Patches for Three Vulnerabilities Enabling Code Execution and Privilege Escalation

TL;DR — cPanel has released patches for three vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) affecting cPanel, WHM, and WP Squared. Two carry CVSS 8.8 scores and permit arbitrary code execution and privilege escalation; the third allows arbitrary file read. No evidence of active exploitation exists, but the announcement follows disclosure of a separate critical flaw (CVE-2026-41940) already weaponized to deliver Mirai and ransomware.

What happened

cPanel released patches across multiple product versions to address three input validation and symlink handling flaws. The vulnerabilities span different severity levels and attack vectors:

CVE-2026-29201 (CVSS 4.3) stems from insufficient input validation of feature file names in the "feature::LOADFEATUREFILE" adminbin call. This flaw permits arbitrary file read access, creating a path for information disclosure on affected systems.

CVE-2026-29202 (CVSS 8.8) affects the "create_user API" call through inadequate validation of the "plugin" parameter. An authenticated attacker can exploit this to execute arbitrary Perl code in the context of the system user associated with an already-authenticated account.

CVE-2026-29203 (CVSS 8.8) involves unsafe symlink handling that allows users to modify access permissions of arbitrary files via chmod. This can lead to denial-of-service conditions or, in certain contexts, privilege escalation.

cPanel has released patched versions across twelve version branches of cPanel and WHM, as well as an update to WP Squared. A separate direct update (version 110.0.114) is available for legacy deployments on CentOS 6 or CloudLinux 6.

At the time of publication, no evidence indicates these three vulnerabilities have been exploited in production environments.

Why it matters

For hosting providers and system administrators running cPanel or WHM infrastructure, these patches address threats to both confidentiality and availability. The two high-severity flaws (CVE-2026-29202 and CVE-2026-29203) carry CVSS scores indicating significant risk.

CVE-2026-29202's ability to achieve arbitrary code execution, even if scoped to authenticated contexts, expands the attack surface for lateral movement or privilege escalation within a hosting environment. An attacker who gains initial access to one user account could potentially escalate to system-level execution.

CVE-2026-29203's unsafe symlink handling is particularly relevant for multi-tenant hosting scenarios, where a single user's misconfigured chmod operation could affect files owned by other accounts or system processes.

The lower-severity CVE-2026-29201 may appear less critical in isolation, but arbitrary file read can expose sensitive configuration data, API keys, or database credentials, compounding risk when chained with other attacks.

The timing compounds operational urgency: cPanel disclosed these three flaws days after CVE-2026-41940, a separate critical vulnerability already observed in active exploitation delivering Mirai botnet variants and a ransomware strain named Sorry. This pattern suggests heightened attacker interest in cPanel infrastructure.

Affected systems and CVEs

cPanel and WHM — CVE-2026-29201, CVE-2026-29202, CVE-2026-29203
WP Squared — CVE-2026-29201, CVE-2026-29202, CVE-2026-29203

What to do

Update cPanel and WHM to version 11.136.0.9 or higher, or to the latest version within your current branch (11.134.0.25+, 11.132.0.31+, 11.130.0.22+, 11.126.0.58+, 11.124.0.37+, 11.118.0.66+, 11.110.0.116+, 11.102.0.41+, 11.94.0.30+, or 11.86.0.43+)
Update WP Squared to version 11.136.1.10 or higher
For systems on CentOS 6 or CloudLinux 6, apply update 110.0.114
Prioritize patching systems exposed to untrusted networks or where user-facing APIs are active
Given the concurrent active exploitation of CVE-2026-41940, verify no unpatched instances remain in your environment

Open questions

The source does not clarify whether CVE-2026-29202 and CVE-2026-29203 require prior authentication or can be exploited by unauthenticated attackers. The advisory states CVE-2026-29202 affects "an already authenticated account's system user" but does not specify whether the attacker must themselves hold a valid account.
The scope and specifics of CVE-2026-29201's arbitrary file read are not detailed—clarification on which file types and paths are accessible would aid risk prioritization.
The advisory lists patched versions but does not confirm whether all supported cPanel branches have received patches or only those listed.
No timeline for patch deployment requirements or deprecation of unpatched versions is provided.