Web hosting software cPanel: Updates close security gap

The cPanel software is used to manage accounts and websites with web hosts. The developers have released several updated versions that close security vulnerabilities.

The vulnerabilities are in third-party software that cPanel and WHM provide. The changelog for version 130.0.5 mentions the vulnerability CVE-2024-38999, a so-called prototype-pollution vulnerability in jrburke requirejs 2.3.6, which allows the injection and execution of malicious code or denial-of-service attacks. However, the vulnerability entry does not classify the severity.

The cPanel branches 130, 128, 126, 118 and 110 also contain a faulty SQLite version. A vulnerability in this version prior to version 3.50.2 can lead to the number of aggregated terms exceeding the number of available columns, resulting in uncontrolled memory access (CVE-2025-6965 / EUVD-2025-21441. CVSS 7.2, risk"high").

Updated versions available

To close the security gaps, the manufacturer is making versions cPanel and WHM 130.0.5/6, 128.0.18, 126.0.28, 118.0.53 and 110.0.71 available for download. IT managers should install them promptly so that malicious actors cannot abuse the vulnerabilities that have been fixed.

The programmers have published a separate changelog for each of the individual development branches. They are dated Thursday of last week:

• Changelog for cPanel 130
• Changelog for cPanel 128
• Changelog for cPanel 126
• Changelog for cPanel 118
• Changelog for cPanel 110

Attacks on security vulnerabilities in web hosting software pose a permanent threat. WordPress plug-ins, for example, provide a large attack surface due to their large number. Criminals like to exploit this. The "Motors" theme, for example, opened up a security vulnerability that attackers misused to take over entire WordPress instances.

(dmk)