Privilege Escalation Vulnerability in LiteSpeed User-End cPanel Plugin
CVE-2026-48172

10CRITICAL

Key Information:

Vendor: Litespeed Technologies
Status: Cpanel Plugin; Whm Plugin
Vendor: CVE Published:; 21 May 2026

🔔 Create Litespeed Technologies Vulnerability Alert

Badges

📈 Score: 1,570👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2026-48172?

CVE-2026-48172 is a privilege escalation vulnerability found in the LiteSpeed User-End cPanel Plugin, specifically in versions prior to 2.4.5. This vulnerability allows an attacker to potentially escalate their privileges to the root level, which can have severe implications for security and data integrity. The LiteSpeed User-End cPanel Plugin is designed to facilitate web hosting management through the cPanel interface, a popular control panel for managing web servers. If exploited, this vulnerability can allow unauthorized users to gain elevated privileges, leading to unauthorized access, modification of system settings, and possibly control over sensitive data and resources.

The vulnerability arises from improper handling of Redis enable/disable features, compromising the security measures in place that are intended to prevent unauthorized access. Organizations running vulnerable versions of the plugin are at risk, as active exploitation has been reported, further emphasizing the importance of timely updates and monitoring.

Potential Impact of CVE-2026-48172

Unauthorized Access: Attackers may exploit this vulnerability to gain root access to systems, allowing them to execute arbitrary commands, alter configurations, and access sensitive data, undermining the confidentiality and integrity of the environment.
Data Breaches: With elevated privileges, an attacker can potentially extract, modify, or delete critical information, leading to data loss or exposure of sensitive customer data, which can have legal and financial repercussions for the organization.
System Control and Manipulation: The ability to escalate privileges can enable attackers to manipulate system functionalities, install malicious software, or create backdoors for future access, enhancing the overall attack surface and complicating remediation efforts.

CISA has reported CVE-2026-48172

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-48172 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

cPanel Plugin Linux 2.3 < 2.4.7

WHM Plugin Linux 0 < 5.3.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-48172
Created by retmakarunia

CVE-2026-48172
Created by HORKimhab

News Articles

It Security News

CVE-2026-48172

CISA Warns of LiteSpeed cPanel Plugin Vulnerability Exploited in Attacks - IT Security News

CISA has issued an urgent warning regarding a critical vulnerability in the LiteSpeed cPanel Plugin, identified as CVE-2026-48172, which is currently being exploited in real-world attacks. The flaw enables privilege escalation, allowing attackers with basic cPanel access to execute arbitrary…Read mo...

3 weeks ago

BleepingComputer

CVE-2026-48172

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks.

3 weeks ago