CVE DATABASE / CVE-2026-29201

CVE-2026-29201

CVSS 8.6 · HIGH

Summary

Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

CVSS 3.1 breakdown

Base score	8.6 (HIGH)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity	LOW
Availability	LOW

Weakness type (CWE)

CWE-23

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

Our coverage

cPanel and WHM Patch Three Vulnerabilities Including RCE and Privilege Escalation

References

https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026

Data: NIST NVD. NVD last modified 2026-05-13. Always verify against the vendor advisory before acting.