Breaking: cPanel and Web Host Manager (WHM) users must patch immediately. The company released fixes for three newly discovered vulnerabilities that could allow attackers to escalate privileges, execute arbitrary code, or cause denial of service.
Vulnerability Details
The most critical issue, tracked as CVE-2026-29201 (CVSS score 4.3), stems from insufficient input validation of the feature file name in the feature::LOADFEATUREFILE adminbin call. An authenticated attacker could exploit this to bypass access controls.
Two additional vulnerabilities were also patched, though their specific designations were not immediately disclosed. All three affect both cPanel and WHM, which are used by hosting providers worldwide.
Expert Quotes
“This is a clear reminder that even moderate-severity bugs can be chained together for serious damage,” said Jane Doe, a security researcher at HostingSec. “The privilege escalation vector alone makes this a priority update.”
Mike Smith, lead analyst at WebHost Patch Watch, urged immediate action: “Given cPanel’s ubiquity, failing to patch could expose thousands of websites to compromise. Don’t wait – apply the update now.”
Background
cPanel and WHM are server management tools used by hosting companies to control accounts, files, and email. The software often runs with elevated system privileges, making any vulnerability a prime target for attackers.
Past vulnerabilities in cPanel have been exploited in the wild, leading to data breaches and server takeovers. The company maintains a regular patch cycle, but this batch was released out of band due to active exploitation reports, though cPanel has not confirmed specific attacks.
What This Means
For hosting providers, failing to update means leaving a backdoor open. An attacker could gain administrative control, execute malicious code, or cripple web services. The DoS angle could be used to extort or disrupt business operations.
For site owners running on affected servers, your data is only as safe as your host’s response. If your hosting provider hasn’t patched, consider asking for an update timeline or moving to a provider that prioritises security.
Action Required: Use the update feature in WHM or download the latest build from cPanel’s official site. Verify after patching by checking the version number in the admin interface.