Local Privilege Escalation in cPanel Nova Plugin
CVE-2026-29203

5.3MEDIUM

Key Information:

Vendor: Webpros
Status: Cpanel; Cpanel (cloudlinux 6, Centos 6); WP Squared
Vendor: CVE Published:; 8 May 2026

Badges

📰 News Worthy

What is CVE-2026-29203?

The cPanel Nova plugin contains a vulnerability that occurs when a chmod call within the Cpanel::Nova::Connector function improperly follows symlinks. This flaw permits authenticated cPanel users to manipulate file permissions, potentially granting root access to arbitrary system files or directories. This could lead to unintended consequences, including Denial of Service (DoS) and local privilege escalation, when a user creates a symlink at a legacy Nova path they control within their home directory.

Affected Version(s)

cPanel 11.136.0.0 < 11.136.0.9

cPanel 11.134.0.0 < 11.134.0.25

cPanel 11.132.0.0 < 11.132.0.31

News Articles

Cybersecuritynews

CVE-2026-29202 CVE-2026-29203

New cPanel and WHM Flaws Enable Code Execution, DoS Attacks

cPanel has disclosed three critical security vulnerabilities tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 affecting its widely deployed cPanel & WHM web hosting control panel and WP Squared (WP2) platform.

1 month ago

References

https://support.cpanel.net/hc/en-us/articles/403115437604...

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by Cybersecuritynews
May 10, 2026
Vulnerability published
May 8, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29203 Data

JSON

Webpros

Badges

What is CVE-2026-29203?

Affected Version(s)

News Articles

New cPanel and WHM Flaws Enable Code Execution, DoS Attacks

References

CVSS V4

Timeline