cPanel has released its May 2026 security bulletin addressing three newly discovered vulnerabilities in cPanel/WHM web hosting control panel software. These vulnerabilities are separate from CVE-2026-41940, the critical authentication bypass zero-day that was mass-exploited in May 2026 by the Sorry ransomware group (which compromised over 44,000 web hosting servers). The new CVEs add further urgency to patch prioritisation for web hosting operators already managing post-exploitation response.
New Vulnerabilities
CVE-2026-29202 — Perl Code Execution (CVSS 8.8) An issue in cPanel’s internal Perl scripting environment allows an authenticated user with limited hosting control panel access (reseller or cPanel user level, not requiring WHM administrator access) to execute arbitrary Perl code in the context of the web server process. The vulnerability exists in how cPanel handles certain template rendering inputs that are passed unsanitised to an internal Perl evaluation context. A successful exploit provides code execution as the web server user account, which in typical hosting configurations has read access to all virtual host document roots on the server.
CVE-2026-29203 — Symlink Privilege Escalation (CVSS 8.8)
A race condition in cPanel’s file management component allows an authenticated user to create a symlink that is subsequently followed by a privileged cPanel system process during routine maintenance operations. Under specific timing conditions, this allows writing to arbitrary files accessible to the privileged process — potentially including cron.d entries, sudoers configuration, or other files that can be leveraged to achieve local root access. The attack requires a local user account on the shared hosting server.
CVE-2026-29201 — Arbitrary File Read (CVSS 4.3) A path traversal in cPanel’s file viewer component allows an authenticated user to read arbitrary files accessible to the cPanel process. This includes configuration files that may contain database credentials, application API keys, or other sensitive material stored in web application configuration files. While lower severity than the code execution flaws, it is particularly relevant in shared hosting environments where one tenant reading another’s configuration files could facilitate lateral movement.
Context: Elevated cPanel Threat Posture
cPanel/WHM’s current security landscape warrants treating this month’s patches as high priority for several reasons:
-
Active exploitation baseline: The mass exploitation of CVE-2026-41940 (Sorry ransomware, 44,000+ servers in May 2026) has demonstrated that the cPanel ecosystem is under active, sophisticated targeting. The presence of exploitation tooling developed for one cPanel vulnerability increases the likelihood that new CVEs are rapidly weaponised.
-
Shared hosting data concentration: cPanel servers frequently host hundreds or thousands of virtual hosting accounts. A single server compromise — achieved through any of these CVEs — provides access to all hosted sites, databases, and email content.
-
Reseller access vectors: CVE-2026-29202 is exploitable by authenticated reseller accounts — a privilege level routinely sold to customers of managed hosting resellers and available to a broader population than server administrators.
Remediation
Apply the cPanel/WHM security release via the update interface (WHM > cPanel > Update), or via command line:
/scripts/upcp --forceConfirm the installed version is at or above 114.0.22 (cPanel 114 branch) or 120.0.13 (cPanel 120 branch) following the update — specific version numbers in the cPanel bulletin.
For hosting providers managing large fleets of cPanel servers, prioritise those that also have unresolved CVE-2026-41940 exposure or those hosting high-value clients with sensitive data.
Share this article