Local Privilege Escalation in cPanel Nova Plugin
CVE-2026-29203

8.8HIGH

Key Information:

Vendor: Webpros
Status: Cpanel; Cpanel (centos 6, Cloudlinux 6); WP Squared
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-29203?

The cPanel Nova plugin contains a vulnerability that occurs when a chmod call within the Cpanel::Nova::Connector function improperly follows symlinks. This flaw permits authenticated cPanel users to manipulate file permissions, potentially granting root access to arbitrary system files or directories. This could lead to unintended consequences, including Denial of Service (DoS) and local privilege escalation, when a user creates a symlink at a legacy Nova path they control within their home directory.

Affected Version(s)

cPanel 11.136.0.0 < 11.136.0.9

cPanel 11.134.0.0 < 11.134.0.25

cPanel 11.132.0.0 < 11.132.0.31

References

https://support.cpanel.net/hc/en-us/articles/403115437604...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29203 Data

JSON

Webpros

What is CVE-2026-29203?

Affected Version(s)

References

CVSS V3.1

Timeline