Critical cPanel & WHM Vulnerabilities: 3 Flaws You Need to Patch Now

Security updates have been released for cPanel and Web Host Manager (WHM) that address three newly discovered vulnerabilities. These flaws could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service conditions. Given the critical nature of these issues, administrators are urged to apply the patches immediately to protect their hosting environments. Below are the key details every system administrator should know.

1. Overview of the Three Vulnerabilities

cPanel and WHM are widely used in web hosting for server management. The latest security advisory outlines three distinct vulnerabilities, each with varying severity. The most severe allows remote code execution, while the others could lead to privilege escalation or denial-of-service. Although the full technical details have been kept under wraps to give users time to patch, the company has assigned CVE identifiers and provided patches in the latest stable release. It's essential to understand the potential impact on your infrastructure and prioritize updates accordingly.

2. CVE-2026-29201: Privilege Escalation via Input Validation

This flaw (CVE-2026-29201, CVSS 4.3) stems from insufficient input validation in the feature file name parameter of the feature::LOADFEATUREFILE adminbin call. An attacker with limited access could exploit this to escalate privileges, gaining higher-level control over the server. While the CVSS score is moderate, the potential for misuse in a multi-user hosting environment makes this a serious concern. The fix involves stricter validation of input to prevent malicious file names from being processed. Admins running unpatched versions should treat this as a priority.

3. CVE-2026-29202: Code Execution Vulnerability

The second vulnerability (CVE-2026-29202) could allow an authenticated attacker to execute arbitrary code on the server. Though the exact vector has not been publicly disclosed, it is believed to involve a flawed permission check in one of cPanel's internal scripts. Successful exploitation could lead to full compromise of the hosting account or even the server itself. This is the most critical of the three flaws, and immediate patching is strongly recommended. The patch introduces additional authentication and sanitization measures.

4. CVE-2026-29203: Denial-of-Service Flaw

The third issue (CVE-2026-29203) is a denial-of-service vulnerability that can be triggered remotely. By sending specially crafted requests, an unauthenticated attacker could cause the cPanel/WHM service to crash, disrupting hosted websites and services. Although this does not lead to data loss or theft, the downtime can be costly. The patch addresses this by improving request validation and implementing rate limiting. For high-availability environments, this fix should be applied at the same time as the others.

5. Immediate Steps to Patch and Protect

To mitigate these risks, patch your cPanel and WHM installations immediately. Log in to your server's command line or WHM interface and update to the latest release (check the official changelog for version numbers). If you use an update manager, ensure automatic updates are enabled. Additionally, review your server logs for any signs of suspicious activity related to the described attack vectors. Consider implementing stricter access controls and monitoring for unusual adminbin calls. For further guidance, consult the official cPanel security documentation.

In summary, these three vulnerabilities—covering privilege escalation, code execution, and denial-of-service—demand urgent attention from all cPanel and WHM administrators. By applying the patches today, you can significantly reduce your risk of compromise and ensure the continued security of your hosting environment.