Improper Sanitization Vulnerability in cPanel by cPanel Inc.
CVE-2026-32993

8.3HIGH

Key Information:

Vendor: Webpros
Status: Cpanel; WP Squared
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-32993?

An improper sanitization vulnerability in the status query parameter of the /unprotected/nova_error endpoint in cPanel enables unauthenticated attackers to inject arbitrary HTTP headers into the response. This flaw can lead to various security risks, as attackers exploit this weakness to manipulate response behaviors and potentially leak sensitive information.

Affected Version(s)

cPanel 11.132.0.0 < 11.132.0.32

cPanel 11.134.0.0 < 11.134.0.26

cPanel 11.136.0.0 < 11.136.0.10

References

https://support.cpanel.net/hc/en-us/articles/404373131902...

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32993 Data

JSON

Webpros

What is CVE-2026-32993?

Affected Version(s)

References

CVSS V3.1

Timeline