05/14/26 10:46 AM CST: We have released an additional fix to the recent patch for CVE-2026-29205. The updated builds have been backported across all supported versions listed below. [more info]
At 040Hosting, we continuously monitor vendor security releases for the software used across our managed hosting infrastructure.
On May 8, 2026, cPanel released security updates for three cPanel/WHM vulnerabilities:
-
CVE-2026-29201
-
CVE-2026-29202
-
CVE-2026-29203
These patches are now available and have been implemented where applicable on servers managed by 040Hosting.
What Was Patched
The vulnerabilities addressed by these updates affect different parts of cPanel/WHM functionality.
CVE-2026-29201 relates to an arbitrary file read issue in the feature::LOADFEATUREFILE adminbin call, where the feature file name was not validated strictly enough. In certain circumstances, this could allow a relative path to be passed and make an arbitrary file world-readable. (cPanel Support)
CVE-2026-29202 relates to a Perl code injection method in the create_user API call, connected to the plugin parameter. (cPanel Support)
CVE-2026-29203 relates to unsafe symlink handling, where a user could potentially chmod an arbitrary file. cPanel describes the possible impact as denial of service and possible privilege escalation. (cPanel Support)
Patched cPanel/WHM Versions
cPanel has released patches for multiple supported cPanel/WHM branches. The patched versions include:
-
11.136.0.9 and higher
-
11.134.0.25 and higher
-
11.132.0.31 and higher
-
11.130.0.22 and higher
-
11.126.0.58 and higher
-
11.124.0.37 and higher
-
11.118.0.66 and higher
-
11.110.0.116 and higher
-
11.110.0.117 and higher
-
11.102.0.41 and higher
-
11.94.0.30 and higher
-
11.86.0.43 and higher
For customers still on CentOS 6 or CloudLinux 6, cPanel also released v110.0.114 as a direct update. (cPanel Support)
What We Did
For servers managed by 040Hosting, we updated cPanel/WHM to a patched version where applicable.
The update was handled through the standard cPanel update process. After updating, the cPanel version was verified to confirm that the server was running a patched release.
This is part of our normal security maintenance workflow. When security patches become available, we do not wait for a later maintenance window unless there is a specific technical reason to do so.
Customer Impact
No customer action is required for managed servers.
This was a control panel security update. It did not require customer-side configuration changes and was applied as part of our normal managed server maintenance.
For customers managing their own cPanel/WHM servers, we recommend updating to one of the patched versions listed above as soon as possible. The standard command for a forced cPanel update is:
/scripts/upcp --force
After the update, the installed cPanel version can be checked with:
/usr/local/cpanel/cpanel -V
Keeping the Hosting Stack Secure
Security updates like these show why managed hosting is not just about keeping websites online. A hosting environment depends on many layers: the operating system, kernel, control panel, web server, mail services and security tools.
040Hosting actively monitors these layers and applies vendor patches when they become available. Where temporary mitigations are needed before a final patch is available, we apply those where possible as well.
Our goal remains simple: keep customer environments protected, stable and available.