Three Security Flaws Patched in cPanel and WHM
Server administrators who rely on cPanel and Web Host Manager (WHM) to manage their hosting environments received an urgent security bulletin this week. The development team behind this popular control panel software rolled out patches for three distinct vulnerabilities. One of these flaws carries a critical severity rating and could allow an attacker to execute arbitrary Perl code on a targeted system. The disclosure arrives at a tense moment for the hosting community, as another recently patched cPanel vulnerability has already been exploited in real-world attacks to deliver ransomware and botnet payloads.
cPanel Vulnerability Fixes: Available Patches and Version Information
The development team has released patches across a wide range of version lines. This broad coverage ensures that administrators running older but stable releases can still protect their systems without being forced into a major version upgrade.
The following version branches include the necessary fixes:
- cPanel and WHM 11.136.0.9 and higher
- cPanel and WHM 11.134.0.25 and higher
- cPanel and WHM 11.132.0.31 and higher
- cPanel and WHM 11.130.0.22 and higher
- cPanel and WHM 11.126.0.58 and higher
- cPanel and WHM 11.124.0.37 and higher
- cPanel and WHM 11.118.0.66 and higher
- cPanel and WHM 11.110.0.116 and higher
- cPanel and WHM 11.110.0.117 and higher
- cPanel and WHM 11.102.0.41 and higher
- cPanel and WHM 11.94.0.30 and higher
- cPanel and WHM 11.86.0.43 and higher
For administrators still running CentOS 6 or CloudLinux 6, cPanel has released a direct update labeled WP Squared version 110.0.114. This targeted patch addresses the same vulnerabilities for users on legacy operating systems that no longer receive mainstream updates.
Why These cPanel Vulnerability Fixes Demand Immediate Attention
Security teams often face competing priorities. A vulnerability with a CVSS score of 4.3 might seem low risk, especially when no active exploitation has been reported. However, the context surrounding this disclosure changes the calculation significantly.
Just days before this announcement, cPanel patched another critical flaw identified as CVE-2026-41940. That vulnerability had a CVSS score of 9.1 and was actively weaponized as a zero-day exploit. Threat actors used it to deploy Mirai botnet variants and a ransomware strain called Sorry. The existence of a recent, weaponized zero-day in the same product line changes the threat landscape dramatically.
Attackers who successfully exploited CVE-2026-41940 gained a foothold on vulnerable servers. With access established, they could now turn their attention to the three newly disclosed flaws to deepen their control. The combination of a file read vulnerability, a code execution flaw, and a privilege escalation bug creates a complete attack chain. An adversary who already has limited access could chain these vulnerabilities together to achieve full server compromise.
Practical Steps for Server Administrators
Verify Your Current cPanel Version
The first step in implementing these cpanel vulnerability fixes is confirming which version you currently run. Log into your WHM interface and navigate to the server information section. The version number appears near the top of the page. Alternatively, you can check from the command line using the /usr/local/cpanel/cpanel -V command.
Compare your version against the patched versions listed above. If your installation falls below the minimum patched version for your branch, you need to update immediately.
Handling Legacy Systems and Compatibility Concerns
Some administrators worry that updating cPanel might break existing configurations or custom plugins. This concern is valid, especially for servers running older software stacks. However, the risk of leaving these vulnerabilities unpatched outweighs the potential for compatibility issues.
If you cannot update to the latest version due to compatibility constraints with existing plugins or custom integrations, target the minimum patched version within your current branch. For example, if you run version 11.118.x, updating to 11.118.0.66 or higher addresses the vulnerabilities without jumping to a newer major version line. This approach minimizes disruption while closing the security gaps.
Before applying any update, take a full backup of your server. Many hosting providers offer snapshot features that allow quick rollback if something goes wrong. Test the update in a staging environment if one is available.
Prioritizing Based on Risk
Not all servers face the same level of risk. A dedicated server hosting a single website for a small business has a different threat profile than a shared hosting platform serving hundreds of customers. Administrators of multi-tenant environments should treat these cpanel vulnerability fixes as urgent due to the increased attack surface.
The symlink handling flaw (CVE-2026-29203) poses a particular danger in shared hosting scenarios. A malicious tenant could exploit this vulnerability to affect other customers on the same server. The code execution flaw (CVE-2026-29202) requires authentication, but in a shared environment, authentication is trivial for anyone with a legitimate account.
Security analysts who need to justify patch priority to management can point to the CVSS scores of 8.8 for two of the three vulnerabilities. They can also reference the recent zero-day exploitation of CVE-2026-41940 as evidence that threat actors actively target cPanel installations. The absence of reported exploitation for these specific flaws does not guarantee safety, especially given the historical pattern of weaponization following disclosure.
How to Apply the Patches
Applying the updates follows the standard cPanel upgrade process. Most administrators can complete the procedure through the WHM interface or via the command line.
To update through WHM, navigate to the Upgrade to Latest Version option under the Server Configuration section. The system checks for available updates and applies them automatically. This method works well for servers running supported operating systems and current version branches.
You may also enjoy reading: One Tool Call to Rule Them All: Speed Up AI Dev with Runpod.
For command-line updates, use the following command as the root user:
/scripts/upcp –force
This command forces cPanel to check for and apply the latest updates, including security patches. The process typically completes within a few minutes, though larger installations may require additional time.
Administrators running CentOS 6 or CloudLinux 6 should use the WP Squared direct update path. The specific version 110.0.114 addresses all three vulnerabilities for these legacy environments. Contact your hosting provider or cPanel support for guidance if you encounter issues with the update process on older systems.
Verifying That Patches Have Been Applied
After updating, confirm that your server now runs a patched version. Check the version number again using either the WHM interface or the command line. Compare it against the list of patched versions to ensure compliance.
You can also review the cPanel change log for your version to see the specific security fixes included. The change log entries for these vulnerabilities reference the CVE identifiers, making verification straightforward.
For administrators managing multiple servers, consider implementing automated monitoring that tracks cPanel version numbers and alerts when updates are available. Tools like cPanel’s own update notification system or third-party server management platforms can help maintain consistent patch levels across your infrastructure.
The Bigger Picture: Patch Management in Hosting Environments
These three vulnerabilities highlight a broader challenge in web hosting security. Control panels like cPanel and WHM sit at the intersection of multiple systems, services, and user accounts. A single flaw in this software can expose hundreds or thousands of websites to risk.
The recent history of cPanel vulnerabilities, including the weaponized zero-day CVE-2026-41940, demonstrates that attackers actively research and exploit these systems. The Mirai botnet variants and Sorry ransomware delivered through that earlier flaw represent real threats that caused measurable damage to unpatched servers.
Patch fatigue is a genuine problem for system administrators. When security updates arrive frequently, it becomes tempting to delay or skip less critical patches. However, the cumulative risk approach offers a better perspective. A medium-severity file read vulnerability might not justify an emergency maintenance window on its own. But when combined with a critical code execution flaw and a privilege escalation bug, the overall risk profile changes significantly.
The responsible approach involves treating all security patches as important, prioritizing based on CVSS scores and exploitability context, and maintaining a regular update schedule that minimizes the window of exposure.
