Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
18 vulnerabilities found for cPanel by WebPros
CVE-2026-32991 (GCVE-0-2026-32991)
Vulnerability from nvd – Published: 2026-05-13 22:07 – Updated: 2026-05-14 13:11
VLAI
Summary
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.124.0.0 , < 11.124.0.38 (semver) Affected: 11.118.0.0 , < 11.118.0.67 (semver) Affected: 11.110.0.0 , < 11.110.0.119 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.12
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.118
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:11:15.440259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:11:23.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.67",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.119",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.118",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:07:16.151Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32991",
"datePublished": "2026-05-13T22:07:16.151Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:11:23.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29206 (GCVE-0-2026-29206)
Vulnerability from nvd – Published: 2026-05-13 22:07 – Updated: 2026-05-14 13:55
VLAI
Summary
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - SQL Injection
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.124.0.0 , < 11.124.0.38 (semver) Affected: 11.118.0.0 , < 11.118.0.67 (semver) Affected: 11.110.0.0 , < 11.110.0.119 (semver) Affected: 11.102.0.0 , < 11.102.0.42 (semver) Affected: 11.94.0.0 , < 11.94.0.31 (semver) Affected: 11.30.0.0 , < 11.86.0.44 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.12
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.118
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:55:04.846635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:55:12.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.67",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.119",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.42",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.31",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.44",
"status": "affected",
"version": "11.30.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.118",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:07:16.256Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437213099159-Security-CVE-2026-29206-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29206",
"datePublished": "2026-05-13T22:07:16.256Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-14T13:55:12.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32993 (GCVE-0-2026-32993)
Vulnerability from nvd – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:12
VLAI
Summary
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - CRLF Injection
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.132.0.0 , < 11.132.0.32
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.136.0.0 , < 11.136.0.10 (semver) |
|
| WebPros | WP Squared |
Affected:
11.132.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:12:12.439407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:12:33.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.132.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 CRLF Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.114Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32993",
"datePublished": "2026-05-13T22:06:04.114Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:12:33.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32992 (GCVE-0-2026-32992)
Vulnerability from nvd – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:13
VLAI
Summary
SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) |
|
| WebPros | WP Squared |
Affected:
11.126.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:12:58.222950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:13:06.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.126.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.157Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437241987607-Security-CVE-2026-32992-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32992",
"datePublished": "2026-05-13T22:06:04.157Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:13:06.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29205 (GCVE-0-2026-29205)
Vulnerability from nvd – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:13
VLAI
Summary
Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.120.0.0 , < 11.124.0.38 (semver) |
|
| WebPros | WP Squared |
Affected:
11.120.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:13:34.728020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:13:52.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.120.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.120.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.220Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29205",
"datePublished": "2026-05-13T22:06:04.220Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-14T13:13:52.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29203 (GCVE-0-2026-29203)
Vulnerability from nvd – Published: 2026-05-08 18:51 – Updated: 2026-05-15 17:14
VLAI
Summary
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.10
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:56:05.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.10",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A chmod call in the cPanel Nova plugin\u0027s Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61 UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T17:14:52.318Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29203",
"datePublished": "2026-05-08T18:51:05.541Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-15T17:14:52.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29202 (GCVE-0-2026-29202)
Vulnerability from nvd – Published: 2026-05-08 18:51 – Updated: 2026-05-13 22:03
VLAI
Summary
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code Injection
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:56:06.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.11",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account\u0027s system user."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:03:15.187Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29202",
"datePublished": "2026-05-08T18:51:05.585Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-13T22:03:15.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29201 (GCVE-0-2026-29201)
Vulnerability from nvd – Published: 2026-05-08 18:51 – Updated: 2026-05-13 21:59
VLAI
Summary
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Severity
8.6 (High)
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.11
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T19:52:34.386985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:52:40.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.11",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T21:59:09.469Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29201",
"datePublished": "2026-05-08T18:51:05.803Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-13T21:59:09.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41940 (GCVE-0-2026-41940)
Vulnerability from nvd – Published: 2026-04-29 15:10 – Updated: 2026-05-06 15:48
VLAI
CISA KEV
EUVD KEV
Title
WebPros cPanel and WHM Authentication Bypass via Login Flow
Summary
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Severity
9.8 (Critical)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://support.cpanel.net/hc/en-us/articles/4007… | vendor-advisorypatch |
| https://docs.cpanel.net/release-notes/release-notes | release-notes |
| https://docs.wpsquared.com/changelogs/versions/ch… | release-notes |
| https://www.namecheap.com/status-updates/ongoing-… | third-party-advisory |
| https://www.vulncheck.com/advisories/cpanel-and-w… | third-party-advisory |
| https://github.com/watchtowrlabs/watchTowr-vs-cPa… | exploit |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| https://www.bleepingcomputer.com/news/security/cr… | |
| https://labs.watchtowr.com/the-internet-is-fallin… |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.40.0.0 , < 11.86.0.41
(custom)
Affected: 11.88.0.0 , < 11.94.0.28 (custom) Affected: 11.96.0.0 , < 11.102.0.39 (custom) Affected: 11.104.0.0 , < 11.110.0.97 (custom) Affected: 11.112.0.0 , < 11.118.0.63 (custom) Affected: 11.120.0.0 , < 11.124.0.35 (custom) Affected: 11.126.0.0 , < 11.126.0.54 (custom) Affected: 11.128.0.0 , < 11.130.0.19 (custom) Affected: 11.132.0.0 , < 11.132.0.29 (custom) Affected: 11.134.0.0 , < 11.134.0.20 (custom) Affected: 11.136.0.0 , < 11.136.0.5 (custom) |
|
| WebPros | WP Squared |
Unaffected:
11.136.1.7
(custom)
|
|
| WebPros | WHM |
Affected:
11.40.0.0 , < 11.86.0.41
(custom)
Affected: 11.88.0.0 , < 11.94.0.28 (custom) Affected: 11.96.0.0 , < 11.102.0.39 (custom) Affected: 11.104.0.0 , < 11.110.0.97 (custom) Affected: 11.112.0.0 , < 11.118.0.63 (custom) Affected: 11.120.0.0 , < 11.124.0.35 (custom) Affected: 11.126.0.0 , < 11.126.0.54 (custom) Affected: 11.128.0.0 , < 11.130.0.19 (custom) Affected: 11.132.0.0 , < 11.132.0.29 (custom) Affected: 11.134.0.0 , < 11.134.0.20 (custom) Affected: 11.136.0.0 , < 11.136.0.5 (custom) |
Date Public
2026-04-28 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41940",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-04-30",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T03:55:47.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T00:00:00.000Z",
"value": "CVE-2026-41940 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-04T16:13:16.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/"
},
{
"url": "https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.86.0.41",
"status": "affected",
"version": "11.40.0.0",
"versionType": "custom"
},
{
"lessThan": "11.94.0.28",
"status": "affected",
"version": "11.88.0.0",
"versionType": "custom"
},
{
"lessThan": "11.102.0.39",
"status": "affected",
"version": "11.96.0.0",
"versionType": "custom"
},
{
"lessThan": "11.110.0.97",
"status": "affected",
"version": "11.104.0.0",
"versionType": "custom"
},
{
"lessThan": "11.118.0.63",
"status": "affected",
"version": "11.112.0.0",
"versionType": "custom"
},
{
"lessThan": "11.124.0.35",
"status": "affected",
"version": "11.120.0.0",
"versionType": "custom"
},
{
"lessThan": "11.126.0.54",
"status": "affected",
"version": "11.126.0.0",
"versionType": "custom"
},
{
"lessThan": "11.130.0.19",
"status": "affected",
"version": "11.128.0.0",
"versionType": "custom"
},
{
"lessThan": "11.132.0.29",
"status": "affected",
"version": "11.132.0.0",
"versionType": "custom"
},
{
"lessThan": "11.134.0.20",
"status": "affected",
"version": "11.134.0.0",
"versionType": "custom"
},
{
"lessThan": "11.136.0.5",
"status": "affected",
"version": "11.136.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"status": "unaffected",
"version": "11.136.1.7",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "WHM",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.86.0.41",
"status": "affected",
"version": "11.40.0.0",
"versionType": "custom"
},
{
"lessThan": "11.94.0.28",
"status": "affected",
"version": "11.88.0.0",
"versionType": "custom"
},
{
"lessThan": "11.102.0.39",
"status": "affected",
"version": "11.96.0.0",
"versionType": "custom"
},
{
"lessThan": "11.110.0.97",
"status": "affected",
"version": "11.104.0.0",
"versionType": "custom"
},
{
"lessThan": "11.118.0.63",
"status": "affected",
"version": "11.112.0.0",
"versionType": "custom"
},
{
"lessThan": "11.124.0.35",
"status": "affected",
"version": "11.120.0.0",
"versionType": "custom"
},
{
"lessThan": "11.126.0.54",
"status": "affected",
"version": "11.126.0.0",
"versionType": "custom"
},
{
"lessThan": "11.130.0.19",
"status": "affected",
"version": "11.128.0.0",
"versionType": "custom"
},
{
"lessThan": "11.132.0.29",
"status": "affected",
"version": "11.132.0.0",
"versionType": "custom"
},
{
"lessThan": "11.134.0.20",
"status": "affected",
"version": "11.134.0.0",
"versionType": "custom"
},
{
"lessThan": "11.136.0.5",
"status": "affected",
"version": "11.136.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.86.0.41",
"versionStartIncluding": "11.40.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.94.0.28",
"versionStartIncluding": "11.88.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.102.0.39",
"versionStartIncluding": "11.96.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.110.0.97",
"versionStartIncluding": "11.104.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.118.0.63",
"versionStartIncluding": "11.112.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.124.0.35",
"versionStartIncluding": "11.120.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.126.0.54",
"versionStartIncluding": "11.126.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.130.0.19",
"versionStartIncluding": "11.128.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.132.0.29",
"versionStartIncluding": "11.132.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.134.0.20",
"versionStartIncluding": "11.134.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.136.0.5",
"versionStartIncluding": "11.136.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.86.0.41",
"versionStartIncluding": "11.40.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.94.0.28",
"versionStartIncluding": "11.88.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.102.0.39",
"versionStartIncluding": "11.96.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.110.0.97",
"versionStartIncluding": "11.104.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.118.0.63",
"versionStartIncluding": "11.112.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.124.0.35",
"versionStartIncluding": "11.120.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.126.0.54",
"versionStartIncluding": "11.126.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.130.0.19",
"versionStartIncluding": "11.128.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.132.0.29",
"versionStartIncluding": "11.132.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.130.0.18",
"versionStartIncluding": "11.134.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:*:*:*",
"versionEndExcluding": "136.1.7",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"datePublic": "2026-04-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T15:48:18.270Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.cpanel.net/release-notes/release-notes"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.wpsquared.com/changelogs/versions/changelog/#13617"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WebPros cPanel and WHM Authentication Bypass via Login Flow",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41940",
"datePublished": "2026-04-29T15:10:37.899Z",
"dateReserved": "2026-04-22T18:50:43.621Z",
"dateUpdated": "2026-05-06T15:48:18.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29206 (GCVE-0-2026-29206)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:07 – Updated: 2026-05-14 13:55
VLAI
Summary
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - SQL Injection
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.124.0.0 , < 11.124.0.38 (semver) Affected: 11.118.0.0 , < 11.118.0.67 (semver) Affected: 11.110.0.0 , < 11.110.0.119 (semver) Affected: 11.102.0.0 , < 11.102.0.42 (semver) Affected: 11.94.0.0 , < 11.94.0.31 (semver) Affected: 11.30.0.0 , < 11.86.0.44 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.12
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.118
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:55:04.846635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:55:12.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.67",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.119",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.42",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.31",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.44",
"status": "affected",
"version": "11.30.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.118",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:07:16.256Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437213099159-Security-CVE-2026-29206-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29206",
"datePublished": "2026-05-13T22:07:16.256Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-14T13:55:12.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32991 (GCVE-0-2026-32991)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:07 – Updated: 2026-05-14 13:11
VLAI
Summary
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.124.0.0 , < 11.124.0.38 (semver) Affected: 11.118.0.0 , < 11.118.0.67 (semver) Affected: 11.110.0.0 , < 11.110.0.119 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.12
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.118
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:11:15.440259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:11:23.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.67",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.119",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.118",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:07:16.151Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32991",
"datePublished": "2026-05-13T22:07:16.151Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:11:23.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29205 (GCVE-0-2026-29205)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:13
VLAI
Summary
Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.120.0.0 , < 11.124.0.38 (semver) |
|
| WebPros | WP Squared |
Affected:
11.120.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:13:34.728020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:13:52.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.120.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.120.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.220Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29205",
"datePublished": "2026-05-13T22:06:04.220Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-14T13:13:52.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32992 (GCVE-0-2026-32992)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:13
VLAI
Summary
SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) |
|
| WebPros | WP Squared |
Affected:
11.126.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:12:58.222950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:13:06.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.126.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.157Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437241987607-Security-CVE-2026-32992-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32992",
"datePublished": "2026-05-13T22:06:04.157Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:13:06.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32993 (GCVE-0-2026-32993)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:12
VLAI
Summary
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - CRLF Injection
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.132.0.0 , < 11.132.0.32
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.136.0.0 , < 11.136.0.10 (semver) |
|
| WebPros | WP Squared |
Affected:
11.132.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:12:12.439407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:12:33.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.132.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 CRLF Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.114Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32993",
"datePublished": "2026-05-13T22:06:04.114Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:12:33.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29201 (GCVE-0-2026-29201)
Vulnerability from cvelistv5 – Published: 2026-05-08 18:51 – Updated: 2026-05-13 21:59
VLAI
Summary
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Severity
8.6 (High)
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.11
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T19:52:34.386985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:52:40.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.11",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T21:59:09.469Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29201",
"datePublished": "2026-05-08T18:51:05.803Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-13T21:59:09.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29202 (GCVE-0-2026-29202)
Vulnerability from cvelistv5 – Published: 2026-05-08 18:51 – Updated: 2026-05-13 22:03
VLAI
Summary
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code Injection
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:56:06.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.11",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account\u0027s system user."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:03:15.187Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29202",
"datePublished": "2026-05-08T18:51:05.585Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-13T22:03:15.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29203 (GCVE-0-2026-29203)
Vulnerability from cvelistv5 – Published: 2026-05-08 18:51 – Updated: 2026-05-15 17:14
VLAI
Summary
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.10
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:56:05.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.10",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A chmod call in the cPanel Nova plugin\u0027s Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61 UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T17:14:52.318Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29203",
"datePublished": "2026-05-08T18:51:05.541Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-15T17:14:52.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41940 (GCVE-0-2026-41940)
Vulnerability from cvelistv5 – Published: 2026-04-29 15:10 – Updated: 2026-05-06 15:48
VLAI
CISA KEV
EUVD KEV
Title
WebPros cPanel and WHM Authentication Bypass via Login Flow
Summary
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Severity
9.8 (Critical)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://support.cpanel.net/hc/en-us/articles/4007… | vendor-advisorypatch |
| https://docs.cpanel.net/release-notes/release-notes | release-notes |
| https://docs.wpsquared.com/changelogs/versions/ch… | release-notes |
| https://www.namecheap.com/status-updates/ongoing-… | third-party-advisory |
| https://www.vulncheck.com/advisories/cpanel-and-w… | third-party-advisory |
| https://github.com/watchtowrlabs/watchTowr-vs-cPa… | exploit |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| https://www.bleepingcomputer.com/news/security/cr… | |
| https://labs.watchtowr.com/the-internet-is-fallin… |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.40.0.0 , < 11.86.0.41
(custom)
Affected: 11.88.0.0 , < 11.94.0.28 (custom) Affected: 11.96.0.0 , < 11.102.0.39 (custom) Affected: 11.104.0.0 , < 11.110.0.97 (custom) Affected: 11.112.0.0 , < 11.118.0.63 (custom) Affected: 11.120.0.0 , < 11.124.0.35 (custom) Affected: 11.126.0.0 , < 11.126.0.54 (custom) Affected: 11.128.0.0 , < 11.130.0.19 (custom) Affected: 11.132.0.0 , < 11.132.0.29 (custom) Affected: 11.134.0.0 , < 11.134.0.20 (custom) Affected: 11.136.0.0 , < 11.136.0.5 (custom) |
|
| WebPros | WP Squared |
Unaffected:
11.136.1.7
(custom)
|
|
| WebPros | WHM |
Affected:
11.40.0.0 , < 11.86.0.41
(custom)
Affected: 11.88.0.0 , < 11.94.0.28 (custom) Affected: 11.96.0.0 , < 11.102.0.39 (custom) Affected: 11.104.0.0 , < 11.110.0.97 (custom) Affected: 11.112.0.0 , < 11.118.0.63 (custom) Affected: 11.120.0.0 , < 11.124.0.35 (custom) Affected: 11.126.0.0 , < 11.126.0.54 (custom) Affected: 11.128.0.0 , < 11.130.0.19 (custom) Affected: 11.132.0.0 , < 11.132.0.29 (custom) Affected: 11.134.0.0 , < 11.134.0.20 (custom) Affected: 11.136.0.0 , < 11.136.0.5 (custom) |
Date Public
2026-04-28 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41940",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-04-30",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T03:55:47.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T00:00:00.000Z",
"value": "CVE-2026-41940 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-04T16:13:16.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/"
},
{
"url": "https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.86.0.41",
"status": "affected",
"version": "11.40.0.0",
"versionType": "custom"
},
{
"lessThan": "11.94.0.28",
"status": "affected",
"version": "11.88.0.0",
"versionType": "custom"
},
{
"lessThan": "11.102.0.39",
"status": "affected",
"version": "11.96.0.0",
"versionType": "custom"
},
{
"lessThan": "11.110.0.97",
"status": "affected",
"version": "11.104.0.0",
"versionType": "custom"
},
{
"lessThan": "11.118.0.63",
"status": "affected",
"version": "11.112.0.0",
"versionType": "custom"
},
{
"lessThan": "11.124.0.35",
"status": "affected",
"version": "11.120.0.0",
"versionType": "custom"
},
{
"lessThan": "11.126.0.54",
"status": "affected",
"version": "11.126.0.0",
"versionType": "custom"
},
{
"lessThan": "11.130.0.19",
"status": "affected",
"version": "11.128.0.0",
"versionType": "custom"
},
{
"lessThan": "11.132.0.29",
"status": "affected",
"version": "11.132.0.0",
"versionType": "custom"
},
{
"lessThan": "11.134.0.20",
"status": "affected",
"version": "11.134.0.0",
"versionType": "custom"
},
{
"lessThan": "11.136.0.5",
"status": "affected",
"version": "11.136.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"status": "unaffected",
"version": "11.136.1.7",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "WHM",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.86.0.41",
"status": "affected",
"version": "11.40.0.0",
"versionType": "custom"
},
{
"lessThan": "11.94.0.28",
"status": "affected",
"version": "11.88.0.0",
"versionType": "custom"
},
{
"lessThan": "11.102.0.39",
"status": "affected",
"version": "11.96.0.0",
"versionType": "custom"
},
{
"lessThan": "11.110.0.97",
"status": "affected",
"version": "11.104.0.0",
"versionType": "custom"
},
{
"lessThan": "11.118.0.63",
"status": "affected",
"version": "11.112.0.0",
"versionType": "custom"
},
{
"lessThan": "11.124.0.35",
"status": "affected",
"version": "11.120.0.0",
"versionType": "custom"
},
{
"lessThan": "11.126.0.54",
"status": "affected",
"version": "11.126.0.0",
"versionType": "custom"
},
{
"lessThan": "11.130.0.19",
"status": "affected",
"version": "11.128.0.0",
"versionType": "custom"
},
{
"lessThan": "11.132.0.29",
"status": "affected",
"version": "11.132.0.0",
"versionType": "custom"
},
{
"lessThan": "11.134.0.20",
"status": "affected",
"version": "11.134.0.0",
"versionType": "custom"
},
{
"lessThan": "11.136.0.5",
"status": "affected",
"version": "11.136.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.86.0.41",
"versionStartIncluding": "11.40.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.94.0.28",
"versionStartIncluding": "11.88.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.102.0.39",
"versionStartIncluding": "11.96.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.110.0.97",
"versionStartIncluding": "11.104.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.118.0.63",
"versionStartIncluding": "11.112.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.124.0.35",
"versionStartIncluding": "11.120.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.126.0.54",
"versionStartIncluding": "11.126.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.130.0.19",
"versionStartIncluding": "11.128.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.132.0.29",
"versionStartIncluding": "11.132.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.134.0.20",
"versionStartIncluding": "11.134.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.136.0.5",
"versionStartIncluding": "11.136.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.86.0.41",
"versionStartIncluding": "11.40.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.94.0.28",
"versionStartIncluding": "11.88.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.102.0.39",
"versionStartIncluding": "11.96.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.110.0.97",
"versionStartIncluding": "11.104.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.118.0.63",
"versionStartIncluding": "11.112.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.124.0.35",
"versionStartIncluding": "11.120.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.126.0.54",
"versionStartIncluding": "11.126.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.130.0.19",
"versionStartIncluding": "11.128.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.132.0.29",
"versionStartIncluding": "11.132.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.130.0.18",
"versionStartIncluding": "11.134.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:*:*:*",
"versionEndExcluding": "136.1.7",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"datePublic": "2026-04-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T15:48:18.270Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.cpanel.net/release-notes/release-notes"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.wpsquared.com/changelogs/versions/changelog/#13617"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WebPros cPanel and WHM Authentication Bypass via Login Flow",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41940",
"datePublished": "2026-04-29T15:10:37.899Z",
"dateReserved": "2026-04-22T18:50:43.621Z",
"dateUpdated": "2026-05-06T15:48:18.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}