We are aware of a potentially service impacting issue. Learn more

updated 14-05-26: 040Hosting Security Update: cPanel/WHM Patches for CVE-2026-29201, CVE-2026-29202 and CVE-2026-29203

  • Friday, 8th May, 2026
  • 19:45pm

05/14/26 10:46 AM CST: We have released an additional fix to the recent patch for CVE-2026-29205. The updated builds have been backported across all supported versions listed below. [more info]

At 040Hosting, we continuously monitor vendor security releases for the software used across our managed hosting infrastructure.

On May 8, 2026, cPanel released security updates for three cPanel/WHM vulnerabilities:

  • CVE-2026-29201

  • CVE-2026-29202

  • CVE-2026-29203

These patches are now available and have been implemented where applicable on servers managed by 040Hosting.

What Was Patched

The vulnerabilities addressed by these updates affect different parts of cPanel/WHM functionality.

CVE-2026-29201 relates to an arbitrary file read issue in the feature::LOADFEATUREFILE adminbin call, where the feature file name was not validated strictly enough. In certain circumstances, this could allow a relative path to be passed and make an arbitrary file world-readable. (cPanel Support)

CVE-2026-29202 relates to a Perl code injection method in the create_user API call, connected to the plugin parameter. (cPanel Support)

CVE-2026-29203 relates to unsafe symlink handling, where a user could potentially chmod an arbitrary file. cPanel describes the possible impact as denial of service and possible privilege escalation. (cPanel Support)

Patched cPanel/WHM Versions

cPanel has released patches for multiple supported cPanel/WHM branches. The patched versions include:

  • 11.136.0.9 and higher

  • 11.134.0.25 and higher

  • 11.132.0.31 and higher

  • 11.130.0.22 and higher

  • 11.126.0.58 and higher

  • 11.124.0.37 and higher

  • 11.118.0.66 and higher

  • 11.110.0.116 and higher

  • 11.110.0.117 and higher

  • 11.102.0.41 and higher

  • 11.94.0.30 and higher

  • 11.86.0.43 and higher

For customers still on CentOS 6 or CloudLinux 6, cPanel also released v110.0.114 as a direct update. (cPanel Support)

What We Did

For servers managed by 040Hosting, we updated cPanel/WHM to a patched version where applicable.

The update was handled through the standard cPanel update process. After updating, the cPanel version was verified to confirm that the server was running a patched release.

This is part of our normal security maintenance workflow. When security patches become available, we do not wait for a later maintenance window unless there is a specific technical reason to do so.

Customer Impact

No customer action is required for managed servers.

This was a control panel security update. It did not require customer-side configuration changes and was applied as part of our normal managed server maintenance.

For customers managing their own cPanel/WHM servers, we recommend updating to one of the patched versions listed above as soon as possible. The standard command for a forced cPanel update is:

/scripts/upcp --force

After the update, the installed cPanel version can be checked with:

/usr/local/cpanel/cpanel -V

Keeping the Hosting Stack Secure

Security updates like these show why managed hosting is not just about keeping websites online. A hosting environment depends on many layers: the operating system, kernel, control panel, web server, mail services and security tools.

040Hosting actively monitors these layers and applies vendor patches when they become available. Where temporary mitigations are needed before a final patch is available, we apply those where possible as well.

Our goal remains simple: keep customer environments protected, stable and available.

 

« Back