Symlink Handling Issues in LiteSpeed cPanel Plugin by LiteSpeed
CVE-2026-54420

8.5HIGH

Key Information:

Vendor: Litespeed Technologies
Status: Cpanel Plugin
Vendor: CVE Published:; 14 June 2026

🔔 Create Litespeed Technologies Vulnerability Alert

Badges

📈 Score: 309👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2026-54420?

CVE-2026-54420 is a vulnerability in the LiteSpeed cPanel plugin, specifically affecting versions prior to 2.4.8. The LiteSpeed cPanel plugin is a tool designed to enhance the performance of web hosting services by integrating LiteSpeed's web server capabilities with the cPanel interface, widely used for managing web hosting services. This vulnerability arises from improper handling of symlinks supplied by users who have FTP or web shell access on shared hosting environments running on CloudLinux/CageFS. The exploitation of this vulnerability could lead to significant security risks for organizations utilizing this software, as attackers might gain unauthorized access to sensitive data or execute malicious scripts, severely impacting the integrity and confidentiality of web-hosted services.

Potential Impact of CVE-2026-54420

Unauthorized Access: The vulnerability allows attackers with restricted access via FTP or web shell to manipulate symlinks, potentially leading to unauthorized access to sensitive directories and files. This risk can compromise user data and violate privacy regulations.
Execution of Malicious Code: By exploiting this vulnerability, attackers could inject malicious code or scripts into vulnerable systems. This can be particularly damaging on shared hosting environments, where one compromised site can lead to the infection of other accounts, spreading further malicious activities.
Service Disruption: If exploited, this vulnerability could destabilize hosting environments, leading to service outages or degradation of performance. This not only affects end-users but also harms the reputation and operational viability of hosting service providers.

CISA has reported CVE-2026-54420

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-54420 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Affected Version(s)

cPanel Plugin Linux 2.3 < 2.4.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-54420
Created by HORKimhab