cPanel & WHM Patch 5 High-Severity Flaws, Including 8.6 Severity File Read and SQLi
Do Son 
Recently, cPanel & WHM and WP Squared have issued patches for five critical vulnerabilities. These flaws range from arbitrary file reading to SQL injection, posing severe risks to server integrity and data privacy.
The most severe vulnerabilities identified in this cycle allow unauthenticated or unauthorized access to sensitive system resources.
- CVE-2026-29205 (CVSS 8.6) – Arbitrary File Read: A combination of incorrect privilege dropping and insufficient path filtering allows attackers to read arbitrary files via certain cpdavd endpoints. This affects versions 120 and higher.
- CVE-2026-32993 (CVSS 8.3) – HTTP Header Injection: An unauthenticated endpoint in cpsrvd was found to allow the insertion of arbitrary HTTP headers. This impacts versions 132 and higher.
- CVE-2026-32992 (CVSS 8.2) – Credential Theft via DNS Cluster: SSL verification was not fully enforced in the DNS Cluster system. A malicious server could perform a man-in-the-middle attack to capture credentials. This affects versions 126 and higher.
Beyond remote attacks, internal risks and script-based vulnerabilities were also addressed.
- CVE-2026-29206 (CVSS 8.1) – SQL Injection: The sqloptimizer script was found to be vulnerable to arbitrary SQL query injection. Crucially, this affects all cPanel & WHM versions.
- CVE-2026-32991 (CVSS 7.1) – Team Member Privilege Escalation: Low-privilege team users (role=default) can escalate their privileges to full owner capabilities using specific UAPI modules. This affects versions 110 and higher.
Patches have been pushed across several release tiers to ensure all active users can secure their environments.
| Product | Minimum Secure Version |
| cPanel & WHM (Latest Tiers) |
11.136.0.10, 11.134.0.26, 11.132.0.32 |
| cPanel & WHM (Older Tiers) |
11.130.0.23, 11.126.0.59, 11.124.0.38 |
| WP Squared |
11.136.1.12 or higher |
For administrators still operating on CentOS 6 or CloudLinux 6, a specific upgrade tier must be set before following the standard update procedures:
- Run the following command to adjust your configuration: sed -i “s/CPANEL=.*/CPANEL=cl6110/g” /etc/cpupdate.conf
- Proceed with the standard update process to reach the secure version (11.110.0.118 / cl6110).
Don’t wait for a breach to happen. Check your current version and update to a patched release immediately to ensure your servers remain impenetrable.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
