Security Patch: Security vulnerabilities in cPanel and WHM closed again
Attackers can attack cPanel and WebHost Manager with malicious code, among other things. Security patches are available.
(Image: Tatiana Popova/Shutterstock.com)
The web server and management software cPanel and WebHost Manager (WHM) are once again vulnerable. In the worst case, malicious code can get onto systems and compromise them. Admins should install the patched versions promptly.
Only recently, the developers warned of a “critical” security vulnerability (CVE-2026-41940), which attackers can use to access the control panel without logging in. Attackers are already exploiting this vulnerability, and more than 4000 instances in Germany have already been attacked.
Closing vulnerabilities
The three new security vulnerabilities (CVE-2026-29202 “high,” CVE-2026-292203 “high,” CVE-2026-29201 “medium”) are listed in the security section of the cPanel website. In the first case, user input in the context of the create_user plug-in is not sufficiently validated, allowing attackers to push and execute malicious code on systems in the name of an already authenticated user.
Videos by heise
Due to insecure handling of symlinks, the second vulnerability allows attackers to trigger DoS states and thus crashes, or to gain higher user privileges. In the third case, unauthorized file access is conceivable. How these attacks could be carried out specifically is currently unclear.
For the new vulnerabilities, the software developer has not yet issued a warning about ongoing attacks. However, admins should not wait too long and install the available security updates. These versions of cPanel, WHM, and WP Squared are protected against the described attacks:
- 11.136.0.9
- 11.134.0.25
- 11.132.0.31
- 11.130.0.22
- 11.126.0.58
- 11.124.0.37
- 11.118.0.66
- 11.110.0.116
- 11.110.0.117
- 11.102.0.41
- 11.94.0.30
- 11.86.0.43
- 11.136.1.10 (WP Squared)
(des)
