CISA has added CVE‑2026-54420 to its Known Exploited Vulnerabilities catalogue, affecting the LiteSpeed cPanel Plugin. The vulnerability, named LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability, allows a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS to follow symbolic links and potentially read or write arbitrary files.
The flaw is a symlink‑following (time‑of‑check‑time‑of‑use) issue that can be exploited locally once an attacker gains limited shell or FTP access. It carries a CVSS score of 8.5, rated HIGH, and a security patch is available from LiteSpeed (see advisory URL). No authentication bypass is required beyond the initial low‑privilege access.
Active exploitation has been confirmed, which is why the entry appears in the KEV catalogue; there is no publicly known ransomware campaign using this vulnerability at this time. CISA has set a remediation deadline of 2026-06-18 for federal civilian executive branch (FCEB) agencies.
CISA’s required action is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
While FCEB agencies must meet the deadline, all organisations should review their exposure to the LiteSpeed cPanel Plugin and apply the patch or mitigations promptly.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-54420 and the CISA KEV catalogue at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.