CISA has added the LiteSpeed cPanel Plugin flaw tracked as CVE-2026-48172 to its Known Exploited Vulnerabilities catalogue after confirming that the bug is being used in active attacks.
The vulnerability affects all releases of the plugin prior to 2.4.5 and permits any authenticated cPanel user to escalate privileges to root, thereby gaining the ability to run arbitrary commands on the compromised server.
Federal civilian agencies must apply the fix by 29 May 2026 under Binding Operational Directive 22-01, while private sector owners are urged to assess their exposure and prioritize patching.
The addition highlights the growing threat posed by weaknesses in widely deployed hosting plugins that are often overlooked during routine hardening.
CVE-2026-48172 carries a CVSS v3.1 base score of 10.0, reflecting a critical privilege escalation weakness in the LiteSpeed user‑end component for cPanel (NVD entry).
The root cause lies in insufficient validation of user‑supplied data passed to internal Redis functions, which allows an attacker to inject Lua code that is executed with the privileges of the LiteSpeed daemon.
Because the daemon runs as root to manage web server configurations, successful injection provides full command line access, enabling the installation of backdoors, exfiltration of logs or modification of hosted sites.
Exploitation does not require any special system privileges beyond a standard cPanel login, and the attack can be launched over the normal HTTPS interface used for managing websites.
Exploitation requires only a valid cPanel account; no additional privileges or network access beyond the standard HTTPS interface are needed (GitHub advisory).
LiteSpeed issued a security update on 21 May 2026 that addresses the problem in version 2.4.5, and later advised administrators to move to version 2.4.7 which includes extra hardening and improved logging (SecurityWeek report).
cPanel has subsequently withdrawn the vulnerable plugin