CVE-2025-26803 cPanel CVE debrief

Who should care

cPanel/WHM administrators, hosting providers, and anyone managing systems that use EasyApache 4 with Passenger enabled or installed.

Technical summary

The only vulnerability-specific detail in the supplied corpus is that Passenger received a security update in EasyApache 4 25.7 to address CVE-2025-26803. The source material does not include the vulnerability class, attack prerequisites, impact scope, or CVSS score. The release note does confirm the affected maintenance stream is EasyApache 4 and that the fix is delivered through the vendor’s package update channel.

Defensive priority

Elevated. The vendor explicitly labels this as a security update, but the supplied corpus does not provide CVSS or impact details. Prioritize routine patch validation and package reconciliation on exposed cPanel/WHM hosts.

Recommended defensive actions

• Confirm whether EasyApache 4 25.7 or a later release is installed on all cPanel/WHM systems.
• Review Passenger package versions on managed hosts and apply the vendor update if they lag behind the EasyApache 4 25.7 release.
• Validate update deployment across staging and production so the security fix is consistently present.
• Check the EasyApache 4 change log referenced by cPanel for any additional package-level impacts before maintenance windows.
• Monitor the CVE record and NVD entry for any newly published impact details or scoring updates.

Evidence notes

The vendor advisory at the official cPanel release notes page states: “This release includes updated versions of Tomcat 10.1, NodeJS 18, Memcached 1.6, and a security update for Passenger to address CVE-2025-26803.” The supplied corpus does not include CVSS, exploitability details, or dates for the CVE record, so those are intentionally not inferred.

Official resources