cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

cPanel released patches for three vulnerabilities affecting cPanel and Web Host Manager (WHM) that expose systems to privilege escalation, arbitrary code execution, and denial-of-service attacks.

CVE-2026-29201 carries a CVSS score of 4.3 and stems from insufficient input validation in the "feature::LOADFEATUREFILE" adminbin call. The flaw allows attackers to manipulate feature file names, potentially leading to unintended code execution or system compromise on affected servers.

The vulnerabilities affect hosting providers and organizations running cPanel/WHM infrastructure. Attackers exploiting these flaws can escalate privileges from unprivileged accounts to administrative access, execute arbitrary code with elevated permissions, or trigger service disruptions.

cPanel and WHM remain the dominant control panel software for Linux-based web hosting environments, managing millions of servers worldwide. A compromise of these systems grants attackers direct access to hosted websites, customer data, email accounts, and server configurations. The privilege escalation pathway represents the most severe risk, enabling full server takeover.

Organizations operating cPanel or WHM installations should apply the released patches immediately. The vulnerabilities are exploitable by authenticated users or, in some cases, through unauthenticated network access depending on the specific flaw mechanics.

The incomplete CVE listing in available sources suggests additional vulnerability details remain under embargo or are still being published. Security teams should monitor cPanel's official advisory channels for complete information on all three flaws, including affected version numbers and detailed remediation steps.

Administrators should verify patch applicability to their specific cPanel/WHM versions before deployment and test patches in staging environments to prevent service interruptions. Given cPanel's prevalence in shared hosting and managed services, this patch cycle warrants priority treatment in vulnerability management workflows.