CPANEL has released security updates for three flaws in cPanel & WHM that could let an attacker read files, run arbitrary code, or escalate privileges, though there is no current evidence of active exploitation.
The vulnerabilities are CVE-2026-29201 (CVSS 4.3), CVE-2026-29202 (CVSS 8.8) and CVE-2026-29203 (CVSS 8.8); the first stems from an input validation issue in the feature::LOADFEATUREFILE adminbin call, the second from improper validation of the plugin parameter in the create_user API, and the third from unsafe symlink handling that could permit changing permissions via chmod.
Patches cover multiple supported releases, including versions 11.136.0[.]9, 11.134.0[.]25, 11.132.0[.]31 and newer builds, with updates also for WP Squared and legacy CentOS 6 / CloudLinux 6 systems. The disclosure follows reports that threat actors weaponised another critical flaw tracked as CVE-2026-41940 to deploy Mirai botnet variants, and U.S. CISA has added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, according to Shadowserver Foundation and watchTowr. Users are urged to install the latest versions promptly.