Critical: Three New cPanel & WHM Vulnerabilities (CVEs 2026-29201/2/3) Threaten Code Execution and DoS — Patch Immediately + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

Three newly disclosed critical security vulnerabilities in cPanel & WHM, tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, could allow attackers to execute arbitrary Perl code, escalate privileges, cause denial-of-service (DoS), and read sensitive files. Patched on May 8, 2026, these flaws affect a wide range of cPanel versions and the WP Squared platform, posing an immediate risk to hosting providers and server administrators. This article provides an in‑depth technical analysis, including step‑by‑step mitigation, verification commands, and security hardening measures.

Learning Objectives:

• Identify the nature and impact of the three cPanel vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203)
• Execute manual and automated commands to check cPanel versions and apply security patches
• Implement additional security controls (file permissions, symlink restrictions, API hardening)
• Learn detection techniques to identify potential exploitation attempts

You Should Know:

1. CVE-2026-29201 – Arbitrary File Read via `feature::LOADFEATUREFILE`

This vulnerability (CVSS 4.3) stems from insufficient input validation of the feature file name in the `feature::LOADFEATUREFILE` adminbin call. An authenticated attacker can supply a relative path to read any file accessible by the cPanel process, potentially exposing configuration files, passwords, or system logs. Although medium severity, it can be a precursor to more severe attacks.

Step‑by‑step guide:

• Check current cPanel version (on Linux):

  /usr/local/cpanel/cpanel -V
  

• Compare output with patched versions: 11.136.0.9+, 11.134.0.25+, 11.132.0.31+, 11.130.0.22+, 11.126.0.58+, 11.124.0.37+, 11.118.0.66+, 11.110.0.116+, 11.110.0.117+, 11.102.0.41+, 11.94.0.30+, 11.86.0.43+.
• If vulnerable, run the official update command:

  /scripts/upcp --force
  

• Verify update completed successfully:

  /usr/local/cpanel/cpanel -V
  

• Disable or restrict the vulnerable API endpoint if not required (e.g., via firewall rules or IP whitelisting).

1. CVE-2026-29202 – Arbitrary Perl Code Injection (CVSS 8.8)

This high‑severity flaw exists in the `create_user` API call due to improper validation of the `plugin` parameter. An authenticated attacker can inject malicious Perl code, leading to remote privilege escalation. Perl is the core language of cPanel, so successful exploitation can compromise the entire hosting environment.

Step‑by‑step guide:

• Identify potentially vulnerable accounts `grep -r “create_user” /usr/local/cpanel/logs/error_log` (Linux)
• Apply the official patch (same commands as for CVE-2026-29201)
• For legacy systems (CentOS 6/CloudLinux 6), set the upgrade tier:

  sed -i "s/CPANEL=./CPANEL=cl6110/g" /etc/cpupdate.conf
  

• Restrict API access for `create_user` using IP whitelisting or custom Apache rules.
• Monitor for Perl code injection attempts in logs:

  grep -E "(eval|system|exec|backticks)" /usr/local/cpanel/logs/access_log
  

3. CVE-2026-29203 – Unsafe Symlink Handling (CVSS 8.8)

This vulnerability arises from unsafe symlink handling in cPanel’s `chmod` operations, allowing an authenticated user to modify permissions of arbitrary files via symlinks. This can lead to DoS or privilege escalation, especially when chained with other vulnerabilities.

Step‑by‑step guide:

• Check if your system follows symlinks insecurely (conceptual check):

  ls -la /path/to/user/home/.cpanel/nova/
  

• Apply the official cPanel patch as described above.
• Harden symlink protection (Linux):

  echo "fs.protected_symlinks = 1" >> /etc/sysctl.conf
  sysctl -p
  

• Audit existing symlinks for suspicious entries:

  find /home -type l -ls
  

• Consider restricting `chmod` for unprivileged users via cPanel’s security policies.

4. The Exploitation Context and Chain Attacks

These vulnerabilities were discovered during an emergency code audit after a major ransomware campaign (CVE-2026-41940, CVSS 9.8) compromised over 44,000 servers. Attackers often chain arbitrary file read, Perl injection, and symlink flaws to achieve complete server takeover.

Verification & Monitoring:

• Check for unauthorized files accessed via CVE-2026-29201:

  grep "feature::LOADFEATUREFILE" /usr/local/cpanel/logs/access_log | grep -v ".(yaml|yml)$"
  

• Detect Perl injection attempts (CVE-2026-29202):

  grep -E "plugin\s=" /usr/local/cpanel/logs/access_log | grep -E "(eval|system|exec)"
  

• Look for symlink abuse (CVE-2026-29203):

  find /home -type l -exec ls -la {} \; | grep -E "-> (..|/etc|/root|/var)"
  

5. Defensive Hardening & Remediation

Beyond patching, implement these measures to reduce risk.

• Linux Hardening:

  Restrict cPanel API access
  iptables -A INPUT -p tcp --dport 2086 -s trusted_ip -j ACCEPT
  iptables -A INPUT -p tcp --dport 2086 -j DROP
  

• Windows (if using cPanel on Windows): Not typical; cPanel is Linux‑native.
• Enable Two‑Factor Authentication (2FA) for all cPanel/WHM accounts.
• Regular security audits:

  /scripts/check_cpanel_rpms --fix
  

6. AI and Cybersecurity Training Implications

While not directly AI or training, these vulnerabilities highlight the need for continuous security education. For professionals seeking to deepen their expertise, consider:
– Linux Security Hardening courses (e.g., Linux Foundation’s security track)
– Web application security training focusing on input validation (OWASP Top 10)
– Perl security fundamentals to understand code injection risks
– Cloud hardening workshops (AWS, Azure) to apply these principles in cloud environments

What Undercode Say:

• Key Takeaway 1: Even moderate‑severity flaws (CVE‑2026‑29201) can be the first stage of a devastating chain attack when combined with high‑severity vulnerabilities.
• Key Takeaway 2: Immediate patching is non‑negotiable — 44,000 servers were compromised in a recent ransomware spree exploiting a similar chain, proving that delayed action leads to massive data breaches.
• Analysis: This disclosure pattern is a wake‑up call for the entire web hosting industry. The stacking of CVEs within a short time frame suggests that security audits in complex control panels like cPanel may uncover many latent issues. The use of Perl, a powerful but less‑scrutinized language in modern stacks, introduces unique injection risks. Administrators must adopt defense‑in‑depth: patch quickly, restrict API access, harden symlink protections, and continuously monitor for anomalous behaviors.

Prediction:

In the next six months, we will see a surge of exploit‑in‑the‑wild activity targeting these three vulnerabilities, as threat actors weaponize publicly available details. Hosting providers that delay patching will face ransomware and data theft incidents. Consequently, a wave of “cPanel security hardening” services will emerge, with increased regulatory scrutiny on web hosting security practices. AI‑powered log analysis tools will be rapidly adopted to detect the subtle traces of chained exploits across thousands of servers.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky