LiteSpeed cPanel Privilege Escalation Flaw Exploited in the Wild (CVE-2026-54420)
Do Son 
Image: LiteSpeed
A LiteSpeed cPanel privilege escalation flaw is being exploited in the wild right now. Tracked as CVE-2026-54420, the bug hands a low-privileged user full root access on shared hosting servers. Because attacks are already underway, administrators face an urgent patching deadline.
What attackers are abusing
The flaw lives in the LiteSpeed cPanel plugin before version 2.4.8. According to the NVD, the plugin “mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.”
In practice, that means any tenant with limited access can escape their boundary. As a result, they can climb to root and seize the whole server. The flaw scores a high 8.5 on the CVSS scale, and Namecheap’s team reported it.
Why the stakes are high
This is not theoretical. The LiteSpeed advisory states plainly that “this vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.”
Because shared servers pack many accounts onto one machine, a single compromised user can endanger every hosted site. Therefore, this LiteSpeed cPanel privilege escalation bug is especially dangerous for hosting providers. Defenders can hunt for the attack’s fingerprint, since it pairs calls to two certificate endpoints and fires them 7 to 10 times at once from a single IP.
How to respond
Patch without delay. LiteSpeed fixed the issue in cPanel plugin v2.4.8, bundled with WHM Plugin v5.3.2.1. For upgrade commands and detection tips, read the official LiteSpeed security update.
If you cannot upgrade yet, remove the user-end plugin as a temporary fix. Finally, scan your cPanel logs for suspicious activity, and treat any match as a likely compromise.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
