Ddos 
Web hosting administrators and infrastructure teams need to be on high alert. A recent security advisory has revealed a trio of vulnerabilities impacting the widely used cPanel & WHM and WP Squared platforms, prompting an urgent wave of patches. With two of these flaws carrying a high-severity CVSS score of 8.8, the risk of server compromise and service disruption is severe.
Here is a breakdown of the vulnerabilities threatening your hosting environments and the immediate steps required to lock them down.
The most alarming threats in this security release are two high-severity vulnerabilities that strike at the core of server administration APIs and file management.
- CVE-2026-29202 (CVSS 8.8): This vulnerability opens the door to malicious code execution. According to the advisory, “A Perl code injection method was found in the create_user API call, relating to the plugin parameter”. This type of flaw is highly dangerous, as it can potentially allow threat actors to execute arbitrary commands directly on the host server during the account creation process.
- CVE-2026-29203 (CVSS 8.8): The second critical flaw revolves around file system manipulation. The report details that “An unsafe symlink handling error was found that allows a user to chmod an arbitrary file, allowing for denial of service and possible privilege escalation”. This means a low-privileged user could manipulate file permissions to disrupt hosting services or, worse, pivot to seize complete administrative control of the server.
Rounding out the security update is a moderate-severity vulnerability that threatens data confidentiality.
- CVE-2026-29201 (CVSS 4.3): This arbitrary file read vulnerability resides within “the feature::LOADFEATUREFILE adminbin call where it does not adequately validate the feature file name”. Because the system fails to properly sanitize inputs, attackers can exploit this by passing a relative path as an argument. The impact of this oversight is significant, “causing an arbitrary file to be made world-readable”. This could inadvertently expose sensitive system configuration files, private keys, or customer data to the public internet.
Given the severe nature of the Perl injection and symlink handling flaws, system administrators must update their environments immediately. The maintainers have cast a wide net to ensure users are protected, pushing out patches across a vast range of cPanel & WHM versions.
Administrators should ensure their systems are updated to the following patched versions (or higher):
- 11.136.0.9
- 11.134.0.25
- 11.132.0.31
- 11.130.0.22
- 11.126.0.58
- 11.124.0.37
- 11.118.0.66
- 11.110.0.116 and 11.110.0.117
- 11.102.0.41
- 11.94.0.30
- 11.86.0.43
Additionally, hosting providers utilizing WP Squared must update their installations to version 11.136.1.10 or higher to mitigate the threats.
Notably, the developers have provided a critical lifeline for infrastructure still running on older, end-of-life operating systems. For environments “still on CentOS 6 or CloudLinux 6, we have also released v110.0.114 as a direct update”.
- Update the cPanel version on the server to one of the versions listed above. This can be done with the following:
/scripts/upcp –force
- Once completed, verify the cPanel version with the following to ensure the update was successful.
/usr/local/cpanel/cpanel -V
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
