Ten days. That’s how long it took cPanel to issue a second emergency patch after the worst attack on its platform in recent memory. On May 8, the company pushed fixes for three newly disclosed vulnerabilities – CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 covering its cPanel & WHM control panel and WP Squared (WP2) platform. Two of the three score 8.8 on the CVSS scale, putting them firmly in the High severity tier.
If you run cPanel on any server, you need to patch it now.
What Got Found, and Why It Matters
CVE-2026-29202 (CVSS 8.8) is the worst of the three. It’s an input validation failure in the plugin parameter of the create_user API call, and it lets an authenticated attacker inject and execute arbitrary Perl code on behalf of the system user tied to their account. In a shared hosting environment, that’s a serious problem — a low-privilege tenant account becomes a potential foothold into the underlying server.
CVE-2026-29203 (CVSS 8.8) involves how cPanel handles symbolic links during chmod operations. An attacker can craft a symlink pointing to a sensitive system file, trigger a permission change, and either break services outright or set up a privilege escalation chain. Both outcomes are bad. Used together with CVE-2026-29202, an attacker with a basic hosting account could plausibly work toward root.
CVE-2026-29201 (CVSS 4.3) is lower severity but still worth understanding. The feature::LOADFEATUREFILE adminbin call doesn’t adequately validate the file name parameter in which an attacker can pass a relative path, causing an arbitrary file on the server to be made world-readable. Private keys, credential files, config data – anything within reach becomes readable if an attacker knows what to ask for.
In shared hosting environments where multiple tenants run on the same server, CVE-2026-29202 and CVE-2026-29203 together create meaningful exposure to lateral movement and full server compromise.
The Bigger Picture: This Isn’t a Coincidence
CVE-2026-41940 – the auth bypass that preceded all of this was CVSS 9.8. It was rooted in CRLF injection that let unauthenticated attackers poison session files and bypass authentication entirely. Security researchers confirmed it had been actively exploited as a zero-day since at least February 2026, roughly two and a half months before a patch was available.
The compromise estimates exceeded 44,000 servers, with the “cPanelSniper” proof-of-concept driving mass exploitation. Mirai botnet variants used the flaw to recruit new DDoS nodes. Ransomware operators deployed “.sorry” extension payloads across affected hosting infrastructure. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog and set a May 3 remediation deadline for federal agencies.
Finding CVE-2026-29201, 29202, and 29203 right after CVE-2026-41940 isn’t bad luck. It’s the result of cPanel auditing their codebase under pressure and finding more problems. That’s actually how this is supposed to work after a major incident. The concern is what else that audit might turn up. There may be further disclosures to come.
The broader issue is structural: a PHP and Perl codebase that manages system-level operations, network configuration, DNS, email, and web server settings from a single daemon creates a large, interconnected attack surface. Monolithic hosting panels built on decades-old foundations are showing the strain.
How to Patch
For most servers, this is one command run as root over SSH:
/scripts/upcp --forceAfter it completes, verify the installed version:
/usr/local/cpanel/cpanel -VAfter patching, restart cpsrvd to make sure the daemon is running the updated code: /scripts/restartsrv_cpsrvd
For CentOS 6 / CloudLinux 6 systems, you need to pin to the right update branch first:
sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf/scripts/upcp --forceCentOS 6 hit end-of-life in 2020. This patch covers it, but it’s a stopgap. Migration to AlmaLinux or Rocky Linux is the only real answer long-term.
Affected versions and their minimum patched builds:
| Platform | Minimum Patched Version |
|---|---|
| cPanel & WHM | 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116/117, 11.102.0.41, 11.94.0.30, 11.86.0.43 |
| WP Squared | 11.136.1.10 |
| Legacy (CentOS 6) | 110.0.114 |
Common Questions
Are these being actively exploited? As of May 11, there are no confirmed cases in the wild. That will change if proof-of-concept code surfaces publicly and given how fast CVE-2026-41940 moved from disclosure to mass exploitation, that timeline can change fast.
What if I’m on managed hosting? Most managed providers (InMotion, KnownHost, HostGator, and others) push these patches automatically through their standard processes. Still worth a support ticket to confirm your server is actually running a patched build.
Can I block ports instead of patching? Restricting access to ports 2083 and 2087 reduces external exposure, but CVE-2026-29202 only requires an authenticated user, which in shared hosting means any customer on the box. Port blocking doesn’t help against that threat model.
What if I was already compromised? Audit access logs retroactively from February 23, 2026 – check /usr/local/cpanel/logs/access_log and /usr/local/cpanel/logs/login_log for unexpected session authentication patterns. Also run a recursive scan of user home directories for files with the .sorry extension. If you find them, you’re in incident response territory, not just patching territory. Rebuilding from a clean, verified off-site backup is the appropriate response at that point.
Two emergency patches in ten days is not a normal release cadence. Patch, verify, and keep watching the cPanel security mailing list.
