cPanel and WebHost Manager released security fixes on May 9, 2026 for three newly disclosed vulnerabilities — including two rated CVSS 8.8 — as threat actors continue to exploit a separate critical cPanel flaw that has already compromised more than 40,000 servers worldwide. The timing places hosting providers and system administrators under compounded pressure to patch before active exploitation infrastructure from the earlier campaign is retargeted at the new vulnerabilities.
Three New CVEs in cPanel and WHM: Perl Execution, Symlink Escalation, and File Read
cPanel and WebHost Manager are the most widely deployed web server control panel software globally, powering shared hosting environments for millions of websites. The three vulnerabilities disclosed on May 9, 2026 affect the core cPanel/WHM platform and span a range of severity and attack potential that, in combination, make this a patch release administrators should treat as urgent rather than routine.
The most serious is CVE-2026-29202 (CVSS 8.8), which permits unauthorized Perl code execution on authenticated cPanel accounts. Because cPanel’s core server management functions are implemented in Perl, code execution within that runtime provides significant access to server configurations, account data, and administrative functions. An attacker with a valid hosting account on a vulnerable server can use this flaw to execute arbitrary code in cPanel’s privileged context — a meaningful escalation beyond the permissions ordinarily available to a shared hosting tenant.
CVE-2026-29203: Symlink Abuse Enabling Denial-of-Service and Privilege Escalation in Shared Hosting
CVE-2026-29203 (CVSS 8.8) exploits unsafe handling of symbolic links within cPanel’s file processing logic. An attacker can craft a symlink that, when processed by cPanel or WHM, triggers either a denial-of-service condition or a privilege escalation path to system level. In shared hosting environments — where dozens or hundreds of customer accounts coexist on a single server — privilege escalation from one tenant account to system level represents a particularly high-risk outcome: a single compromised or malicious tenant could use this flaw to affect all other tenants on the same physical machine.
CVE-2026-29201: Arbitrary File Read Bypasses Tenant Sandboxing Boundaries
The third vulnerability, CVE-2026-29201 (CVSS 4.3), enables arbitrary file read through insufficient input validation. An authenticated attacker can access files outside their ordinarily permitted scope on the server — including configuration files, credential stores, or data belonging to other hosted accounts. While lower in severity than the other two flaws, arbitrary file read in a multi-tenant shared hosting environment carries meaningful information disclosure risk that can enable further exploitation.
Patched Version Numbers Across Current and Legacy cPanel Branches
cPanel released fixes across multiple version branches to address all three CVEs simultaneously. Updated releases include cPanel/WHM 11.136.0.9 and later, 11.134.0.25 and later, 11.132.0.31 and later, and multiple legacy branch releases extending through 11.86.0.43 and later. WP Squared, cPanel’s WordPress hosting variant, received fixes in version 11.136.1.10 and later. Legacy environments running CentOS 6 or CloudLinux 6 should update to version 110.0.114.
No active exploitation of CVE-2026-29201, -29202, or -29203 had been reported at the time of the May 9 disclosure. The patch release aligned with coordinated vulnerability disclosure processes and was not triggered by observed attacks against these specific flaws.
Why the CVE-2026-41940 Campaign Elevates Urgency for the May 9 Patch Release
The security context surrounding this patch release significantly changes the risk calculus for administrators who might otherwise deprioritize vulnerabilities with no confirmed exploitation. A separate critical cPanel vulnerability — CVE-2026-41940, rated CVSS 9.8 — has been under active attack and has already resulted in an estimated 40,000 or more server compromises. Threat actors behind that campaign targeted government and military organizations in Southeast Asia and managed service providers, demonstrating both the capability and intent to operate cPanel exploitation at scale.
The exploitation infrastructure built around CVE-2026-41940 remains operational. Security teams monitoring that campaign note that threat actors with established tooling against cPanel infrastructure are well-positioned to add newly disclosed vulnerabilities to their exploit chains, particularly when patches are not applied promptly. The presence of two CVSS 8.8 flaws — enabling code execution and privilege escalation on the same platform already under active attack through a different CVE — eliminates the usual grace period administrators might rely on when no exploitation is yet confirmed.
Hosting providers managing large fleets of cPanel-based servers should treat coordinated, fleet-wide patching as an immediate operational priority. Administrators who have already patched CVE-2026-41940 should not assume their environments are fully hardened; the May 9 disclosures represent a distinct and newly introduced attack surface that requires a separate patching action.
