CVE-2026-28387 cPanel CVE debrief

Who should care

cPanel/WHM administrators, hosting providers, and system owners running EasyApache 4 with ea-openssl11 installed should review this release promptly, especially on internet-facing servers.

Technical summary

The supplied vendor source does not describe the underlying flaw mechanics for CVE-2026-28387. What is confirmed is that cPanel’s EasyApache 4 25.54 release includes a security patch for ea-openssl11, alongside related CVEs CVE-2026-28388 through CVE-2026-28390 and other package updates. The CVE record provided a CVSS score of 8.1 (High).

Defensive priority

High. The vendor has already released a package update that includes the fix, and the provided CVSS score indicates significant security impact. Apply the EasyApache 4 security update as soon as practical.

Recommended defensive actions

• Update EasyApache 4 to the vendor-released 25.54 package set or later.
• Confirm the installed ea-openssl11 package version matches the vendor-fixed release level.
• Review whether related EasyApache package updates (ea-php84, ea-php85, ea-nginx) are also pending on your servers.
• Prioritize systems that are publicly reachable or that host customer workloads.
• Track the cPanel release notes and linked CVE records for any follow-on clarification or additional package guidance.

Evidence notes

This debrief is based only on the supplied cPanel release-note summary and the provided CVE metadata. The source confirms a security patch for ea-openssl11 in EasyApache 4 25.54, but it does not provide root-cause details, affected versions, or exploitation conditions for CVE-2026-28387.

Official resources