Action Required:  If you run cPanel or WHM and have not yet run /scripts/upcp, your server remains exposed. Patch now. Details below.

If you manage web hosting infrastructure built on cPanel and WHM, the past two weeks have been anything but quiet. On May 8, 2026, cPanel issued its second emergency Technical Security Release (TSR) in ten days, patching three newly discovered vulnerabilities that span the stack — from sensitive file exposure all the way to unauthenticated remote code execution via a low-privilege account.

The context makes the timing especially alarming. This second wave of patches arrives directly on the heels of CVE-2026-41940, a CVSS 9.8 authentication-bypass zero-day that was actively exploited in the wild for nearly three months before a patch was available. That incident resulted in the compromise of an estimated 44,000 servers, with attackers deploying Mirai botnet variants and a ransomware strain that appended .sorry extensions to encrypted files.

Context: The CVE-2026-41940 Catastrophe

To understand why this second patch batch matters so much, it helps to understand what preceded it. CVE-2026-41940 was not a subtle, low-impact flaw. It was a pre-authentication bypass rooted in CRLF injection that allowed any attacker on the internet — no credentials required — to poison session files and bypass cPanel and WHM login entirely. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog, setting a mandatory remediation deadline of May 3, 2026 for federal civilian agencies.

Security researchers confirmed the vulnerability had been exploited as a zero-day since at least February 2026 — roughly two and a half months before a patch was available. A proof-of-concept named cPanelSniper drove mass exploitation. cPanel manages over 70 million domains worldwide, making it one of the highest-value targets in hosting infrastructure.

Feb 23, 2026 (Estimated)
CVE-2026-41940 exploitation begins in the wild
Zero-day authentication bypass actively used — no patch exists yet.
Apr 28, 2026
Emergency patch for CVE-2026-41940 released
CISA issues KEV entry; ~44,000 servers already compromised with Mirai variants and “.sorry” ransomware.
May 7, 2026
cPanel pre-discloses three new CVEs to hosting partners
Advance warning issued; technical details embargoed until patch release.
May 8, 2026 — 12:00 PM EST
Patches for CVE-2026-29201, 29202 & 29203 go live
Second emergency TSR in 10 days. All supported tier branches receive fixes simultaneously.

Security analysts note that the rapid discovery of three additional vulnerabilities is not coincidental. Under the pressure of a major breach, internal and external code audits intensified — and found more problems. There may be further disclosures ahead.

The Three New Vulnerabilities, Explained

CVE-2026-29202 CVSS 8.8 — High
Authenticated Perl Code Execution  ·  create_user API

This is the most severe of the three. cPanel’s core backend is written substantially in Perl, and this flaw resides in the create_user API call. The plugin parameter passed to that call is not adequately validated, enabling an authenticated attacker to inject and execute arbitrary Perl code in the context of the authenticated account’s system user. In shared hosting environments — where a single server hosts dozens of small businesses — a single compromised low-privilege account is all an attacker needs to begin lateral movement. No public exploitation of this specific CVE has been confirmed as of May 12, 2026, but given how rapidly CVE-2026-41940 was weaponized after disclosure, the window is narrow.

CVE-2026-29203 CVSS 8.8 — High
Unsafe Symlink Handling — chmod Abuse  ·  DoS / Privilege Escalation

Symlink attacks are a recurring theme in Linux multi-tenant security, and cPanel has now joined the list of affected platforms. The vulnerability lies in how cPanel’s privileged process handles chmod operations on files in user directories. Because the system does not adequately verify whether a target path is a real file or a symbolic link before modifying permissions, an attacker can create a symlink pointing at a sensitive system file (such as /etc/shadow or a root SSH configuration), then trigger cPanel to execute chmod on it. The high-privilege cPanel process follows the link and alters permissions on the target. At minimum this causes a denial-of-service by corrupting critical files; at worst it opens a path to full root-level privilege escalation.

CVE-2026-29201 CVSS 4.3 — Medium
Arbitrary File Read  ·  feature::LOADFEATUREFILE adminbin

The lowest-scoring of the three, but not one to dismiss. The feature::LOADFEATUREFILE adminbin call fails to adequately validate the feature file name parameter, allowing an attacker to supply a relative path (classic ../../../ traversal) to cause an arbitrary file on the server to be made world-readable. While this alone cannot execute commands, it provides access to configuration files, database connection strings, credentials, and other user data — exactly the reconnaissance layer that enables chained, more sophisticated attacks. Information disclosure is often the first step in a multi-stage compromise.

Important clarification: Unlike CVE-2026-41940, all three of these new vulnerabilities require an authenticated account to exploit. This meaningfully limits the attack surface compared to a pre-auth bypass — but in shared hosting environments where credential theft and resold access are common, the bar is lower than it appears.

Patch Versions: What You Need to Be Running

cPanel has issued fixes across every currently supported version branch. The minimum patched builds, as published in cPanel’s official security advisories, are listed below:

Version Branch Minimum Patched Build Status
11.13611.136.0.9✓ Patched
11.13411.134.0.25✓ Patched
11.13211.132.0.31✓ Patched
11.13011.130.0.22✓ Patched
11.12611.126.0.58✓ Patched
11.12411.124.0.37✓ Patched
11.11811.118.0.66✓ Patched
11.11011.110.0.116 / 11.110.0.117✓ Patched
11.10211.102.0.41✓ Patched
11.9411.94.0.30✓ Patched
11.8611.86.0.43✓ Patched
WP Squared (WP2)11.136.1.10✓ Patched

How to Patch: Step-by-Step

If your server has automatic updates enabled, the patch will be applied on the standard automatic update schedule. For a security release of this category, manual patching is strongly recommended — do not wait for the automated window.

# Standard update — run as root /scripts/upcp # For CentOS 6 / CloudLinux 6 systems, adjust your tier first: sed -i “s/CPANEL=.*/CPANEL=cl6110/g” /etc/cpupdate.conf /scripts/upcp # After patching, restart the cPanel service daemon: /scripts/restartsrv_cpsrvd # Verify your installed version matches the patched build above: cat /usr/local/cpanel/version

CloudLinux 6 note: The dedicated update package for CentOS 6 / CloudLinux 6 legacy servers is version 110.0.114. If your server is on this configuration, adjust the tier setting as shown above before running the update.

If Your Server Was Unpatched During the CVE-2026-41940 Window

Patching these three new CVEs is essential — but if your server was running an unpatched version of cPanel between approximately February 23, 2026 (when CVE-2026-41940 exploitation began) and April 28, 2026 (when that patch shipped), you should treat the server as potentially compromised and investigate proactively, not simply patch and continue.

Recommended forensic steps include auditing access logs retroactively from late February, reviewing /usr/local/cpanel/logs/access_log and /usr/local/cpanel/logs/login_log for anomalous session authentication patterns, and checking for unexpected outbound connections or new cron jobs created during that period.

No Active Exploitation Confirmed — But Act Now

As of May 12, 2026, there is no confirmed evidence that CVE-2026-29201, CVE-2026-29202, or CVE-2026-29203 have been exploited in the wild. That window will not stay open indefinitely. The prior CVE-2026-41940 incident demonstrated how quickly cPanel vulnerabilities can be reverse-engineered, weaponized, and deployed at mass scale once details become public. Patch management speed is now measured in hours, not days.

Sources: cPanel official security advisories for CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, published May 8, 2026; MDDHosting security update blog; Panelica TSR pre-disclosure analysis; Vulert CVE analysis; The Hacker News; Cyber Security News; Copahost incident timeline. No technical exploitation details beyond official cPanel disclosures have been reproduced in this article.