cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now  Ravie Lakshmanan  May 09, 2026 Vulnerability / Web Hosting cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read. CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could result in arbitrary Perl code execution on behalf of the already authenticated account's system user. CVE-2026-29203 (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation. The shortcomings have been patched in the following versions - cPanel and WHM - 11.136.0.9 and higher 11.134.0.25 and higher 11.132.0.31 and higher 11.130.0.22 and higher 11.126.0.58 and higher 11.124.0.37 and higher 11.118.0.66 and higher 11.110.0.116 and higher 11.110.0.117 and higher 11.102.0.41 and higher 11.94.0.30 and higher 11.86.0.43 and higher WP Squared - 11.136.1.10 and higher cPanel has released 110.0.114 as a direct update for customers who are still on CentOS 6 or CloudLinux 6. Users are advised to update to the latest versions for optimal protection. While there is no evidence that the vulnerabilities have been exploited in the wild, the disclosure comes days after another critical flaw in the product (CVE-2026-41940) has been weaponized by threat actors as a zero-day to deliver Mirai botnet variants and a ransomware strain called Sorry. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Code Execution , cPanel , cybersecurity , denial of service , privilege escalation , Vulnerability , web hosting , WHM ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production