PatchSiren cyber security CVE debrief
CVE-2026-49975 Apache Software Foundation CVE debrief
CVE-2026-49975 is a HIGH severity vulnerability in EasyApache 4, with a CVSS score of 7.5. The vulnerability allows attackers to craft malicious HTTP/2 cookie headers that can multiply across streams, consuming excessive memory. The fix makes cookie headers count against LimitRequestFields. Note that HTTP/2 is not enabled by default in cPanel configurations.
- Vendor
- Apache Software Foundation
- Product
- cPanel/WHM
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-10
Who should care
Users of cPanel/WHM with EasyApache 4 installed should apply the security update to prevent potential memory consumption attacks.
Technical summary
CVE-2026-49975 is a vulnerability in ea-apache24 of EasyApache 4. The vulnerability allows for crafted malicious HTTP/2 cookie headers to multiply across streams, leading to excessive memory consumption. The update makes cookie headers count against LimitRequestFields, mitigating the issue.
Defensive priority
HIGH
Recommended defensive actions
- Apply the EasyApache 4 25.64 security update to patch CVE-2026-49975.
- Review and update cPanel configurations to ensure HTTP/2 is not enabled if not required.
Evidence notes
The CVE was published on 2026-06-08T16:16:44.223Z and modified on 2026-06-10T19:36:37.510Z. The vendor, Apache Software Foundation, released an official advisory through cPanel's changelog RSS feed.
Official resources
-
CVE-2026-49975 CVE record
CVE.org
-
CVE-2026-49975 NVD detail
NVD
-
Vendor advisory source
cpanel_changelog_rss
CVE-2026-49975 was patched in EasyApache 4 25.64. For more information, see the EasyApache 4 change log.