cPanel/WHM Patches Three Privilege Escalation and RCE Vulnerabilities Affecting Hosting Infrastructure
cPanel has released patches for three vulnerabilities including insufficient input validation in feature file handling and unspecified code execution issues. These affect a critical infrastructure component used by hosting providers and require immediate patching.
CVE References
Affected
cPanel has released patches addressing three separate vulnerability classes affecting its flagship hosting control panel and WHM administration interface. The disclosed CVE-2026-29201 (CVSS 4.3) stems from insufficient input validation in the feature file name parameter of the 'feature::LOADFEATUREFILE' adminbin call, suggesting a path traversal or arbitrary file inclusion vector at the administrative level. The advisory mentions but does not fully detail two additional vulnerabilities involving privilege escalation and code execution, indicating the vendor may be withholding technical details pending wider adoption of patches.
The incomplete information provided by The Hacker News suggests this advisory originated from an embargo or staggered disclosure. The CVSS score of 4.3 for CVE-2026-29201 appears low relative to the stated impact, which may indicate the vulnerability requires authenticated access or specific exploitation conditions. However, the mention of privilege escalation and code execution in the unnamed second and third vulnerabilities carries substantially higher risk if those reach CVSS 8 or above.
Hosting providers and managed WordPress platforms represent the primary attack surface. A single compromise of WHM could grant an attacker administrative access to dozens or hundreds of customer accounts and hosted sites. The privilege escalation vector is particularly concerning if it bridges from a low-privileged account (shared hosting user) to root or the cPanel daemon user. Unlike commodity server vulnerabilities, control panel compromises propagate horizontally across an entire hosting customer base rather than vertically into a single organisation's infrastructure.
Defenders should prioritise this patch above routine security updates. Hosting providers must apply these patches within their next maintenance window, and organisations running self-hosted cPanel installations should do likewise immediately. The denial-of-service component, whilst lower impact than code execution, could be chained with privilege escalation for full environment takeover. Monitor cPanel security advisories closely for additional technical guidance once the embargo lifts.
The staggered disclosure and incomplete CVE enumeration suggest the vendor discovered additional variants during investigation. Expect a follow-up advisory or clarification within the next 2-4 weeks detailing the remaining two vulnerabilities. This pattern indicates the vulnerabilities may be more severe than the initial CVSS scores suggest, and defenders should not assume these are routine patches.
Sources