CVE-2026-29202 — a high-severity weakness that allows arbitrary Perl code execution via the "plugin" parameter in the "create_user API" call — is one of three vulnerabilities cPanel has patched in its cPanel and Web Host Manager (WHM) product line.
The vulnerabilities: CVE-2026-29201, CVE-2026-29202, CVE-2026-29203
cPanel published fixes for three distinct flaws that, together, could be used to read files, execute code, or disrupt service. The vendor’s advisory lists the issues as:
- CVE-2026-29201 (CVSS score: 4.3) — “An insufficient input validation of the feature file name in the 'feature::LOADFEATUREFILE' adminbin call that could result in an arbitrary file read.”
- CVE-2026-29202 (CVSS score: 8.8) — “An insufficient input validation of the 'plugin' parameter in the 'create_user API' call that could result in arbitrary Perl code execution on behalf of the already authenticated account's system user.”
- CVE-2026-29203 (CVSS score: 8.8) — “An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation.”
The advisory assigns the two higher-severity issues (29202 and 29203) an 8.8 CVSS score, indicating the potential for code execution and privilege escalation in environments where the vulnerable calls are reachable by authenticated accounts.
Patched releases and the special CentOS 6 / CloudLinux 6 update
cPanel says the shortcomings have been patched across a broad set of release lines. The fixed releases for cPanel and WHM begin at:
- 11.136.0.9 and higher
- 11.134.0.25 and higher
- 11.132.0.31 and higher
- 11.130.0.22 and higher
- 11.126.0.58 and higher
- 11.124.0.37 and higher
- 11.118.0.66 and higher
- 11.110.0.116 and higher
- 11.110.0.117 and higher
- 11.102.0.41 and higher
- 11.94.0.30 and higher
- 11.86.0.43 and higher
For WP Squared the fixed release starts at 11.136.1.10 and higher. For customers still running CentOS 6 or CloudLinux 6, cPanel released 110.0.114 as a direct update. The vendor’s guidance in the advisory is clear: users are advised to update to the latest versions for optimal protection.
Context: close on the heels of an exploited zero-day (CVE-2026-41940)
cPanel’s disclosure of these three flaws comes days after a separate, previously disclosed critical vulnerability — CVE-2026-41940 — was weaponized. The advisory notes that threat actors used that flaw as a zero-day to deliver Mirai botnet variants and a ransomware strain called Sorry. By contrast, cPanel says there is currently no evidence that CVE-2026-29201, CVE-2026-29202, or CVE-2026-29203 have been exploited in the wild.
What this means for cPanel customers, security teams, and threat actors
- cPanel customers and hosting administrators: The immediate, concrete step in the advisory is to update to one of the patched releases listed above or, for CentOS 6 / CloudLinux 6 users, to apply 110.0.114. Those updates close the arbitrary file read, arbitrary Perl code execution, and unsafe symlink handling pathways described in the advisory.
- Security and incident-response teams: The advisory’s juxtaposition of these fixes with the weaponization of CVE-2026-41940 underlines why rapid patch management and monitoring for post-exploit indicators remain important. cPanel reports no known exploitation of the three CVEs at publication, but teams will weigh that statement against recent exploitation activity documented for CVE-2026-41940.
- Adversaries and threat actors: The advisory records that threat actors recently leveraged a different cPanel zero-day (CVE-2026-41940) to distribute Mirai variants and the Sorry ransomware strain, a fact defenders must factor into risk assessments for new disclosures affecting the same product.
Conclusion
cPanel has issued patches that close three vulnerabilities spanning file reads, remote code execution via Perl, and unsafe symlink handling. The vendor provides a long list of fixed versions and a dedicated update (110.0.114) for systems on CentOS 6 or CloudLinux 6. While cPanel reports no evidence that the three new CVEs have been exploited in the wild, their publication arrives days after a separate cPanel zero-day (CVE-2026-41940) was weaponized to deliver Mirai botnet variants and the Sorry ransomware strain — an immediate reminder that newly disclosed flaws in widely deployed control panels merit prompt attention.
Original advisory: https://thehackernews.com/2026/05/cpanel-whm-patch-3-new-vulnerabilities.html




