CVE-2026-29202 cPanel CVE debrief

Who should care

cPanel/WHM and WP Squared administrators, especially teams that use the create_user API call in automation or manage legacy CentOS 6 / CloudLinux 6 hosts.

Technical summary

According to the vendor advisory, CVE-2026-29202 is a Perl code injection method affecting the create_user API call and involving the plugin parameter. cPanel states the issue is fixed in cPanel & WHM 11.136.0.9 and later, 11.134.0.25 and later, 11.132.0.31 and later, 11.130.0.22 and later, 11.126.0.58 and later, 11.124.0.37 and later, 11.118.0.66 and later, 11.110.0.117 and later, 11.102.0.41 and later, 11.94.0.30 and later, and 11.86.0.43 and later. WP Squared is fixed in 11.136.1.11 and later. For CentOS 6 or CloudLinux 6, cPanel also released 11.110.0.116 as a direct update.

Defensive priority

High operational priority for any environment exposing or automating cPanel/WHM management, because the affected component is an administrative API path and the vendor has published multiple fixed branches.

Recommended defensive actions

• Upgrade cPanel & WHM to the first fixed release for your installed branch, or a later patched build.
• Upgrade WP Squared to 11.136.1.11 or later if applicable.
• If you are still on CentOS 6 or CloudLinux 6, follow the vendor's documented path to the 11.110.0.116 direct update and set the upgrade tier as instructed by cPanel.
• Review any automation, integrations, or scripts that call create_user and confirm they are operating against patched versions.
• Track the vendor advisory for updates and verify all managed servers are on a patched release line.

Evidence notes

This debrief is based on the supplied cPanel vendor advisory summary and the official CVE/NVD links provided in the source corpus. The source corpus does not provide a CVSS score, exploit proof, or additional technical detail beyond the vendor's description and fixed-version list.

Official resources