cPanel has disclosed three critical security vulnerabilities tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 affecting its widely deployed cPanel & WHM web hosting control panel and WP Squared (WP2) platform. The flaws, patched on May 8, 2026, expose servers to arbitrary file reads, Perl code injection, and denial-of-service (DoS) attacks — making immediate patching essential for hosting providers and server administrators worldwide.
This disclosure comes weeks after another cPanel vulnerability (CVE-2026-41940) was exploited in the wild, enabling attackers to completely bypass login mechanisms. The new trio of vulnerabilities raises fresh concerns about the security posture of shared hosting environments that rely on cPanel at scale.
CVE-2026-29201: Arbitrary File Read via Path Traversal
The first vulnerability resides in the feature::LOADFEATUREFILE adminbin call, which fails to adequately validate the feature file name parameter. An attacker can pass a relative path as the argument, causing an arbitrary file on the server to be made world-readable.
This type of path traversal flaw can expose sensitive system files, including configuration files, credentials, and private keys — giving attackers a foothold for deeper compromise. In shared hosting environments where dozens or hundreds of tenants reside on a single server, this kind of exposure can cascade into a multi-tenant breach.
CVE-2026-29202: Perl Code Injection in User Creation API
The second and most severe flaw is a Perl code injection vulnerability discovered in the create_user API call, specifically related to the plugin parameter. When unsanitized input reaches this parameter, attackers can inject and execute arbitrary Perl code on the server.
Remote code execution (RCE) vulnerabilities of this nature carry the highest risk, potentially allowing full server takeover, data exfiltration, and deployment of malware or backdoors across hosted environments. Security teams should treat this as the highest-priority item in their remediation queue.
CVE-2026-29203: Unsafe Symlink Handling Leads to DoS and Privilege Abuse
The third flaw stems from unsafe symlink handling that permits a user to chmod an arbitrary file on the system. This misconfiguration can be exploited to disrupt critical system operations, resulting in denial-of-service conditions. It could also be chained with other vulnerabilities to escalate privileges and gain unauthorized administrative access.
In multi-tenant hosting environments, privilege escalation of this kind could allow a low-privileged tenant to affect other users on the same server — a serious threat to platform integrity.
Affected Versions and Patched Releases
All three vulnerabilities affect the same range of cPanel & WHM versions. cPanel has released patches across all active branches. Administrators should update to one of the following versions or higher:
- 11.136.0.9
- 11.134.0.25
- 11.132.0.31
- 11.130.0.22
- 11.126.0.58
- 11.124.0.37
- 11.118.0.66
- 11.110.0.116 / 11.110.0.117
- 11.102.0.41
- 11.94.0.30
- 11.86.0.43
WP Squared users should upgrade to version 11.136.1.10 or higher. Servers running CentOS 6 or CloudLinux 6 can apply a direct update to version 110.0.114 by first setting the upgrade tier with the command:
sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.confHow to Apply the Patch
Administrators can update their cPanel installation immediately by running the forced update script:
/scripts/upcp --forceOnce completed, verify the installed version using:
/usr/local/cpanel/cpanel -VConfirm the version matches one of the patched releases listed above before considering the remediation complete. After patching, administrators are also advised to review server logs for any signs of exploitation activity, particularly around the create_user API endpoint and any recent feature file loading operations.
Why This Matters for Hosting Providers
cPanel and WHM powers an estimated tens of millions of websites across shared hosting environments worldwide. Because multiple tenants operate on a single server in shared hosting, vulnerabilities that allow one tenant to read files belonging to another — or to execute arbitrary code — can result in catastrophic, cascading breaches.
Given that CVE-2026-29202 enables direct code execution and CVE-2026-29203 opens the door to privilege escalation, hosting providers running unpatched cPanel installations face significant exposure to lateral movement and full server compromise. With a previous cPanel zero-day having already been exploited in the wild this year, threat actors are clearly aware of — and actively targeting — this ecosystem.
Administrators are urged to apply available patches without delay and monitor for any anomalous activity consistent with file traversal or unauthorized API calls.