CVE DATABASE / CVE-2026-29202

CVE-2026-29202

CVSS 8.8 · HIGH

Summary

Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.

CVSS 3.1 breakdown

Base score	8.8 (HIGH)
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	LOW
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

CWE-94

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

Our coverage

YARA-X 1.16.0: Faster Scans, Panic Fixes, and Neovim LSP Support
Twelve Critical vm2 Node.js Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
CVE-2026-6973: Ivanti EPMM Zero-Day Exploited, 850+ Servers Exposed
CVE-2025-68670: Critical Pre-Auth RCE in xrdp Exposes Linux Remote Desktop Servers
cPanel and WHM Patch Three Vulnerabilities Including RCE and Privilege Escalation

References

https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026

Data: NIST NVD. NVD last modified 2026-05-13. Always verify against the vendor advisory before acting.