Following a chaotic April that saw a massive zero-day authentication bypass (CVE-2026-41940), cPanel and WHM administrators are facing a second wave of critical security threats. On May 8, 2026, cPanel disclosed three new vulnerabilities—CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203—that affect its core hosting control panel and the specialized WP Squared (WP2) platform.
These flaws allow for a range of devastating attacks, including arbitrary system file reads, Perl code injection (RCE), and privilege escalation. With thousands of servers still recovering from the “Sorry” ransomware campaign linked to April’s exploits, immediate patching is non-negotiable.
The Vulnerability Breakdown
The three vulnerabilities represent different vectors of attack, ranging from information disclosure to full server takeover.
| CVE ID | Type | Impact | Technical Detail |
| CVE-2026-29201 | Arbitrary File Read | Medium | Improper validation in the feature::LOADFEATUREFILE call allows attackers to use relative paths to read sensitive system files. |
| CVE-2026-29202 | Perl Code Injection | Critical | The create_user API fails to sanitize the plugin parameter, allowing an authenticated attacker to execute arbitrary Perl code as a system user. |
| CVE-2026-29203 | Unsafe Symlink | High | A symlink handling error allows users to chmod arbitrary files, potentially leading to a Denial of Service (DoS) or privilege escalation to root. |
Context: The Shadow of CVE-2026-41940
This security advisory comes on the heels of CVE-2026-41940, an authentication bypass that was weaponized by threat actors as a zero-day starting in February 2026. That earlier exploit allowed unauthenticated attackers to gain root access, resulting in the compromise of an estimated 44,000 servers. While there is currently no evidence that the three new May vulnerabilities have been exploited in the wild, the technical overlap in the affected codebases suggests that attackers are actively scrutinizing these platforms.
Immediate Action Plan for Administrators
cPanel has released patches across all active branches. Administrators should verify they are running the following versions or higher:
- cPanel & WHM: 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116, 11.110.0.117, 11.102.0.41, 11.94.0.30, 11.86.0.43.
- WP Squared: 11.136.1.10.
How to Patch Now
Force an immediate update on your server with the following command:
Bash
/scripts/upcp --force
Special Case: CentOS 6 / CloudLinux 6
For servers on the cPanel 110 branch (legacy OS), set the correct update tier before running the update:
Bash
sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf
/scripts/upcp --force
Remediation Checklist
- Verify the Version: After patching, run
/usr/local/cpanel/cpanel -Vto confirm your version matches the secure releases. - Audit
create_userLogs: Review API logs for any unusual activity involving thepluginparameter. - Monitor for Symlinks: Check for unauthorized
chmodchanges on critical system files, especially those not typically accessible to user-level accounts.
