cPanel and WHM received a second emergency security patch within ten days on May 8, 2026, addressing three newly discovered vulnerabilities — including two rated CVSS 8.8 — while a concurrent ransomware campaign exploiting a separate critical flaw had already encrypted files on at least 44,000 cPanel servers globally.
Two CVSS 8.8 Flaws in cPanel’s May 8 Patch: CVE-2026-29202 and CVE-2026-29203
CVE-2026-29202 (CVSS 8.8) is an insufficient input validation flaw in the plugin parameter of cPanel’s create_user API call. When an authenticated user passes a malformed plugin value to this endpoint, the server executes arbitrary Perl code under the system account of the authenticated user. In shared hosting environments, this means any legitimately credentialed reseller, developer account, or compromised customer can obtain server-level code execution — reaching all websites, databases, and file trees managed by that cPanel installation rather than only the attacker’s authorized scope.
CVE-2026-29203 (CVSS 8.8) is a symlink handling flaw in WHM’s file permission modification operations. The unsafe symlink resolution allows an authenticated user to invoke chmod operations on arbitrary filesystem paths outside their authorized directory tree. In a shared hosting environment where dozens or hundreds of customer accounts co-exist on a single WHM server, this flaw enables cross-tenant privilege boundary violations — including modifying permissions on another customer’s files or on system configuration paths.
Both vulnerabilities require only an existing authenticated session as a precondition. Any paying customer with a legitimate login to their own hosting account can attempt exploitation against the broader server’s tenant population.
CVE-2026-29201: Arbitrary File Read via Unvalidated Feature File Names in WHM
The third patched vulnerability, CVE-2026-29201 (CVSS 4.3), is an insufficient validation flaw in feature file name handling within the feature::LOADFEATUREFILE adminbin call. An authenticated attacker can supply a crafted file name that causes the server to read files outside the directory the feature file system is permitted to access. On a shared hosting server, out-of-scope file reads expose configuration data, credential files, SSL private keys, and database connection strings stored in directories belonging to co-hosted accounts.
Individually, CVE-2026-29201 provides information for escalating attacks. Combined with CVE-2026-29202’s code execution capability, the two represent a complete privilege escalation chain from any authenticated account on the server to full server control. cPanel released the patch across multiple active release branches, with version 11.136.0.9 and higher carrying the fixes. The standard cPanel update mechanism delivers the patch automatically to systems configured for updates.
Sorry Ransomware: How CVE-2026-41940 Encrypted 44,000 cPanel Servers
The May 8 patch arrives while a separate CVE is being actively exploited. CVE-2026-41940, a CVSS 9.8 CRLF injection vulnerability in cPanel’s authentication flow, was disclosed approximately ten days before the new patch and was immediately weaponized by threat actors distributing the “Sorry” ransomware — a Go-based Linux encryptor that uses the ChaCha20 stream cipher for file encryption and RSA-2048 for key protection. Censys researchers confirmed 7,135 hosts exhibiting .sorry encrypted file extensions in public scans, while overall estimates of compromised servers reached at least 44,000.
The Sorry ransomware campaign against CVE-2026-41940 is distinct from the three CVEs patched on May 8. Organizations that applied the first emergency patch addressing CVE-2026-41940 still require this second patch to close the newly disclosed escalation paths. Organizations that have not yet patched either CVE face active exploitation risk from the ongoing ransomware campaign on top of the newly disclosed vulnerabilities.
Compound Patching Risk Across 70 Million cPanel-Managed Domains
cPanel and WHM collectively manage DNS, email, databases, and web file trees for an estimated 70 million hosted domains across shared hosting providers, resellers, and managed service providers worldwide. The platform’s architecture — where a single WHM installation hosts potentially hundreds of customer accounts — means that exploitation of a single reseller or customer credential compromises not just that account but the entire server’s tenant population through CVE-2026-29202’s code execution capability.
Hosting providers managing cPanel deployments now face simultaneous patching obligations: CVE-2026-41940 for the active ransomware campaign and CVE-2026-29201 through CVE-2026-29203 for the newly disclosed escalation paths. The two-week window from the first cPanel emergency disclosure to this second patch cycle indicates that vulnerability discovery in this product family is active, and additional findings from the same research period may be forthcoming.
