WebPros has released emergency security patches for cPanel and Web Host Manager (WHM) — the industry-standard web hosting control panel powering more than 44,000 servers and 70 million domains worldwide — addressing three newly disclosed vulnerabilities: CVE-2026-29202 (CVSS v3.1 score of 8.8, High — an authenticated remote code execution flaw), CVE-2026-29203 (CVSS v3.1 score of 8.8, High — privilege escalation and denial-of-service via symlink abuse), and CVE-2026-29201 (CVSS v3.1 score of 4.3, Medium — arbitrary file read). Patches were released on May 8, 2026 and are available immediately via the standard /scripts/upcp update mechanism. No public exploit code is known at time of writing, but this disclosure follows the emergency patch for CVE-2026-41940 — a critical pre-auth bypass that is actively exploited and listed on the CISA Known Exploited Vulnerabilities (KEV) catalog — making these updates particularly urgent for every cPanel administrator.
CVE-2026-29202, CVE-2026-29203, CVE-2026-29201: Technical Details
CVE-2026-29201 — Arbitrary File Read
CVE-2026-29201 (CVSS 4.3, Medium — exploitable by an authenticated user without elevated privileges) is rooted in insufficient input validation (CWE-20, a class of bug where the application fails to adequately sanitise user-supplied data before processing it) in the feature::LOADFEATUREFILE adminbin call. An attacker with a valid cPanel account can supply a crafted feature file name to trigger arbitrary file reads on the underlying server filesystem. While rated Medium, arbitrary file reads can expose sensitive files — /etc/passwd, private SSL keys, database configuration files, and other stored credentials — turning a mid-severity bug into a meaningful information-disclosure stepping stone toward deeper compromise.
The official cPanel advisory for CVE-2026-29201 confirms the vulnerability was reported through WebPros' coordinated disclosure programme and patched in the same May 8 TSR (Technical Support Release — cPanel's format for security-only patch bundles).
CVE-2026-29202 — Authenticated Remote Code Execution
CVE-2026-29202 (CVSS 8.8, High — exploitable by any authenticated cPanel user) is the most impactful of the three. It stems from insufficient validation of the plugin parameter in the create_user API call. An attacker who holds any valid cPanel session can pass a maliciously crafted value to this parameter and execute arbitrary Perl code in the context of the system user associated with their account. RCE (Remote Code Execution — the ability for an attacker to run arbitrary commands on a remote system without physical access) at CVSS 8.8 means the attack requires no elevated privileges beyond a normal login, no victim interaction, and is executable entirely over the network.
The impact is amplified in shared-hosting environments. A single compromised or low-cost hosting account can be weaponised via CVE-2026-29202 to break tenant isolation, read files belonging to other customers, deploy persistent web shells, or pivot upward toward the WHM administrator layer controlling the entire server. The CVE-2026-29202 official advisory is available at cPanel's support portal.
CVE-2026-29203 — Privilege Escalation and Denial of Service via Symlink Abuse
CVE-2026-29203 (CVSS 8.8, High) involves unsafe handling of symbolic links (symlinks — filesystem shortcuts that redirect one path to another location on disk). An authenticated cPanel user can create a symlink that tricks the platform into invoking chmod (the Unix command for changing file access permissions) on an arbitrary file anywhere on the server. An attacker can exploit this to modify permissions on critical system files — either locking out the legitimate server owner (denial of service) or granting themselves elevated access to restricted areas (privilege escalation). The official advisory for CVE-2026-29203 details the full affected scope.
Exploitation Status and Threat Landscape
As of May 9, 2026, no public PoC (Proof-of-Concept — working exploit code that demonstrates a vulnerability in practice) has been published for any of the three CVEs. Neither CVE-2026-29201, CVE-2026-29202, nor CVE-2026-29203 appears in the CISA KEV catalog (U.S. Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list — inclusion on this list confirms active exploitation in the wild). WebPros pre-disclosed all three CVEs under coordinated embargo on May 7, releasing technical details simultaneously with the patch on May 8.
Context matters significantly here. These vulnerabilities arrive into a threat landscape already actively targeting cPanel infrastructure. CVE-2026-41940 — a pre-authentication bypass rated CVSS 9.8 (Critical) that enables full server takeover without any credentials — was patched by WebPros in an emergency TSR just ten days prior and remains listed on the CISA KEV. Threat actors including Mirai botnet operators and a Go-based ransomware group tracked as "Sorry" were observed exploiting CVE-2026-41940 within days of public disclosure. With adversaries already scanning cPanel hosts opportunistically, the window between disclosure and weaponisation of CVE-2026-29202 is likely to compress quickly once researchers begin analysing the patch diff.
Who Is Affected
All cPanel and WHM installations running unpatched versions across every supported branch are vulnerable. The patched builds by branch are:
| Version Branch | Patched Build | |—|—| | 11.136.x | 11.136.0.9 | | 11.134.x | 11.134.0.25 | | 11.132.x | 11.132.0.31 | | 11.130.x | 11.130.0.22 | | 11.126.x | 11.126.0.58 | | 11.124.x | 11.124.0.37 | | 11.118.x | 11.118.0.66 | | 11.110.x | 11.110.0.116 / 11.110.0.117 | | 11.102.x | 11.102.0.41 | | 11.94.x | 11.94.0.30 | | 11.86.x | 11.86.0.43 |
WP Squared users should upgrade to 11.136.1.10 or later. Servers running the legacy CentOS 6 / CloudLinux 6 branch should update to 110.0.114. Patch delivery date: May 8, 2026, 12:00 EST, via /scripts/upcp.
The affected universe spans shared hosting providers, managed WordPress platforms, reseller hosts, VPS operators, and organisations self-hosting cPanel/WHM. Estimated exposure: more than 44,000 internet-facing cPanel instances serving approximately 70 million domains.
Shared hosting providers face heightened risk because CVE-2026-29202 and CVE-2026-29203 each require only an authenticated cPanel session — the credential any paying tenant holds. An attacker needs no privileged WHM access; a standard $3/month hosting account provides sufficient foothold to initiate the full attack chain.
What You Should Do Right Now
- Run the update immediately. Log into WHM as root and execute the standard update command to pull the latest security build:
“bash /scripts/upcp --tier=release “
Alternatively, navigate in WHM to Upgrade to Latest Version. Confirm the installed version matches or exceeds the patched build for your branch before closing the terminal.
- Check your current version branch. cPanel supports multiple concurrent branches. Verify which branch your server is on:
“bash cat /usr/local/cpanel/version “
- Restrict management ports by IP allowlist immediately. Before patching is confirmed, restrict access to ports 2083 (cPanel SSL), 2087 (WHM SSL), 2095, and 2096 to known administrator IPs using your server firewall. With ConfigServer Firewall (CSF):
“bash csf -a YOUR_ADMIN_IP_HERE “
- Scan for CVE-2026-29203 artefacts — unexpected world-writable files. The symlink
chmodabuse may have modified file permissions if your server was targeted. Check for world-writable files in home directories:
“bash find /home -perm -o+w -type f -ls 2>/dev/null “
- Enable automatic updates if not already active. In WHM, navigate to Server Configuration > Update Preferences and set the update tier to Automatic. cPanel pushes TSR security patches to auto-update hosts within hours of release.
- Monitor for CVE-2026-29201 exploitation attempts. Watch cPanel access logs for anomalous calls referencing
feature::LOADFEATUREFILEfrom accounts that do not own the referenced feature files. Flag and investigate immediately.
Background: Understanding the Risk
cPanel and WHM are the dominant web hosting control panels globally, translating complex server administration into a browser-accessible interface. Their ubiquity makes them a persistently high-value target: one exploitable flaw can be automated at scale across thousands of hosting providers with a single scanner.
This is the second emergency TSR from WebPros in ten days, following the CVE-2026-41940 critical pre-auth patch on April 28. The compressed timeline suggests either an active internal security audit has uncovered a broader vulnerability class, or external researchers are systematically examining cPanel's attack surface following the high-profile CVE-2026-41940 disclosure — a pattern common after major patches, when researchers reverse-engineer the binary diff to identify closely related bugs.
Symlink attacks — the root cause of CVE-2026-29203 — have a long history in shared-hosting environments. They exploit the inherent privilege boundary between a hosting tenant and the underlying filesystem: because multiple users share the same OS, a crafted symlink can bridge the access gap. Mitigations such as CageFS (a filesystem virtualisation layer that restricts each user to an isolated view of the filesystem, used by CloudLinux and similar distributions) significantly reduce the attack surface, but not all shared hosting configurations enforce CageFS fully across all API call paths.
Authenticated RCE bugs like CVE-2026-29202 warrant urgent response even when they require a valid login. In shared hosting, credentials are routinely stolen via phishing, credential-stuffing attacks against reused passwords, or purchased in bulk from infostealer logs sold on underground forums. A threat actor with a dump of compromised cPanel credentials — a commodity routinely sold for as little as $1–$5 per account on criminal marketplaces — can chain those credentials with CVE-2026-29202 to move laterally across an entire hosting provider's infrastructure from a single tenant account.
The broader context: web hosting providers operate some of the densest multi-tenant environments in existence. A single VPS running cPanel may serve hundreds of customer domains. Any breach that escalates from tenant-level access to server-level access compromises all hosted customers simultaneously — making RCE and privilege escalation bugs in hosting control panels disproportionately impactful relative to their raw CVSS scores.
CVE-2026-29202 repeats the same root-cause class seen in previous cPanel vulnerabilities: insufficient validation on API parameters that accept plugin or module names. This class of bug is worth tracking across the full cPanel API surface, as the create_user call is unlikely to be the only API endpoint that processes user-controlled plugin identifiers.
Conclusion
CVE-2026-29202 and CVE-2026-29203 (both CVSS 8.8, High) represent genuine risk to any cPanel/WHM installation serving shared hosting tenants, and CVE-2026-29201 adds a meaningful file-read vector for targeted reconnaissance. The single most important action is running /scripts/upcp now and confirming the installed version matches the patched build for your branch. Given the active adversary interest in cPanel infrastructure following CVE-2026-41940, administrators who defer this update are operating on borrowed time.
For any query contact us at contact@cipherssecurity.com
