cPanel & WHM Patch CVE-2026-29201, 29202, 29203: Update Now

by Emma Davis
May 9, 2026

cPanel has patched three new WHM and WP Squared vulnerabilities, including code execution and symlink handling flaws. Update with /scripts/upcp –force, verify the build, and review exposed hosting panels.

Editorial cartoon about cPanel and WHM patches closing CVE-2026-29201 CVE-2026-29202 and CVE-2026-29203
The bugs brought paperwork, payloads, and symlinks. The patch lever brought peace and quiet.

cPanel has released security updates for three new cPanel & WHM / WP Squared vulnerabilities disclosed on May 8, 2026. The flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, and the most serious two carry CVSS scores of 8.8 because they can lead to code execution or privilege escalation in already reachable hosting environments.[1]

This is a patch-now story, not a panic headline. The Hacker News notes there is currently no public evidence that these three new CVEs are being exploited in the wild.[4] The reason it still matters is context: cPanel and WHM sit close to websites, mailboxes, databases, backups, and account-level server operations. A control-panel bug can turn from “one hosted account has a problem” into “the hosting server needs triage” much faster than an ordinary web-app flaw.

The timing is also uncomfortable. The new fixes arrived days after CVE-2026-41940, a critical cPanel & WHM authentication bypass, was exploited as a zero-day. cPanel’s advisory for that earlier issue included urgent update steps, mitigation guidance for exposed ports, and a detection script for session-file indicators.[5] These new May 8 CVEs are separate, but administrators should treat them as another reminder that the hosting control plane deserves fast maintenance and careful exposure control.

What to check after updating

CVE What cPanel says it affects Why it matters
CVE-2026-29201 Insufficient validation in the feature::LOADFEATUREFILE adminbin call. A relative path could make an arbitrary file world-readable, so treat it as a data-exposure issue.[1]
CVE-2026-29202 A Perl code injection issue in the create_user API call, tied to the plugin parameter. This is the sharpest bug in the set: successful abuse could execute Perl code as the authenticated account’s system user.[2]
CVE-2026-29203 Unsafe symlink handling that can let a user run chmod against an arbitrary file. cPanel says the result can be denial of service or possible privilege escalation.[3]

Administrators should update cPanel & WHM to a fixed build on their supported branch, then verify the result with /usr/local/cpanel/cpanel -V. cPanel’s listed fixed cPanel & WHM versions include 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116 or 11.110.0.117, 11.102.0.41, 11.94.0.30, and 11.86.0.43, with newer builds patched as well.[1] The same advisories list WP Squared 11.136.1.10 and higher as patched.

If automatic updates are enabled, confirm that the server actually landed on a fixed build. If updates are pinned, disabled, or stuck on an older operating-system tier, do not assume the nightly updater solved it. cPanel says customers still on CentOS 6 or CloudLinux 6 can use a direct 110.0.114 update path, but those systems should be handled as legacy-risk servers, not routine maintenance.

A useful quick triage pass is simple: update, verify, limit exposure, and review recent account activity. Check whether WHM, cPanel, Webmail, WebDisk, or related service subdomains are publicly reachable when they do not need to be. Review newly created accounts, unusual feature-list or package changes, suspicious API calls, and unexpected file-permission changes around the patch window. For servers that were also exposed during the CVE-2026-41940 incident, keep that earlier session-file IOC review on the checklist instead of treating this as an isolated update.

This is exactly the sort of hosting-platform patch that is easy to postpone because it is not tied to a flashy exploit yet. That is the wrong instinct. The safer path is to finish the cPanel update before the weekend backlog grows, then confirm the build and reduce public access to admin surfaces wherever practical.

References

  1. cPanel, “Security: CVE-2026-29201 – cPanel & WHM / WP2 Security Update – May 08, 2026,” May 8, 2026. Advisory.
  2. cPanel, “Security: CVE-2026-29202 – cPanel & WHM / WP2 Security Update – May 08, 2026,” May 8, 2026. Advisory.
  3. cPanel, “Security: CVE-2026-29203 – cPanel & WHM / WP2 Security Update – May 08, 2026,” May 8, 2026. Advisory.
  4. The Hacker News, “cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now,” published May 9, 2026. Coverage.
  5. cPanel, “Security: CVE-2026-41940 – cPanel & WHM / WP2 Security Update 04/28/2026,” updated May 7, 2026. Advisory.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment