CPANEL has released updates for three vulnerabilities in cPanel and WHM that could allow privilege escalation, code execution, and denial-of-service. The flaws are CVE-2026-29201, CVE-2026-29202 and CVE-2026-29203. CVE-2026-29201 involves insufficient input validation of the feature::LOADFEATUREFILE adminbin call, potentially enabling arbitrary file reads.
CVE-2026-29202 concerns insufficient input validation of the plugin parameter in the create_user API call, which could result in arbitrary Perl code execution on behalf of the authenticated account’s system user. CVE-2026-29203 relates to unsafe symlink handling that could let a user modify access permissions of an arbitrary file using chmod, causing denial-of-service or possible privilege escalation.
The patches apply to multiple versions, with direct updates available for customers still on CentOS 6 or CloudLinux 6 as 110.0.114. The article notes that there is no public evidence of exploitation in the wild, but mentions that another critical flaw (CVE-2026-41940) has been weaponised as a zero-day to deliver Mirai botnet variants and the ransomware strain called Sorry.