Insufficient Input Validation Vulnerability in cPanel WHM Software
CVE-2026-29201

4.3MEDIUM

Key Information:

Vendor: Webpros
Status: Cpanel; WP Squared; Cpanel (centos 6, Cloudlinux 6)
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-29201?

CVE-2026-29201 is a significant vulnerability affecting cPanel’s WHM (Web Host Manager) software, which is widely used for managing web hosting environments. This vulnerability stems from insufficient input validation in the feature::LOADFEATUREFILE adminbin call, allowing attackers to pass a relative file path that can result in arbitrary file read operations. Such exposure can lead to unauthorized access to sensitive data stored within the system, potentially compromising customer information and other critical data.

Organizations that utilize cPanel WHM for web hosting management may experience severe implications if they are subject to this vulnerability. If successfully exploited, an attacker could potentially gain insights into system configurations or access confidential files, which can be detrimental to both the integrity of the system and the trust of end-users. As this software is integral to hosting services, the ramifications of a successful exploit can ripple across the broader ecosystem of users and clients depending on these platforms.

Potential impact of CVE-2026-29201

Unauthorized Data Access: The arbitrary file read capability allows attackers to retrieve sensitive information, which can include configuration files, user credentials, or databases. This unauthorized access may lead to further exploitation of the compromised assets.
Threat to System Integrity: Compromised data integrity could result from an attacker modifying accessible files, potentially leading to service disruptions, misinformation, or malicious alterations that affect the functionality of hosted applications.
Reputation Damage and Financial Loss: Beyond technical impacts, the exploitation of this vulnerability can cause significant reputational harm to organizations, undermining client trust and leading to financial losses through remediation costs, legal repercussions, and potential regulatory fines.

Affected Version(s)

cPanel 11.136.0.0 < 11.136.0.9

cPanel 11.134.0.0 < 11.134.0.25

cPanel 11.132.0.0 < 11.132.0.31

References

https://support.cpanel.net/hc/en-us/articles/403110336983...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29201 Data

JSON