PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-29203 cPanel CVE debrief

cPanel disclosed an unsafe symlink handling flaw in cPanel & WHM / WP Squared that could let a user chmod an arbitrary file. The vendor says this can cause denial of service and may enable privilege escalation, and it has released patched builds across supported branches.

Vendor
cPanel
Product
cPanel/WHM
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-07
Original CVE updated
2026-05-11
Advisory published
2026-05-07
Advisory updated
2026-05-11

Who should care

Administrators of cPanel & WHM and WP Squared installations, especially systems where untrusted users can interact with local file operations, should prioritize this update. Hosts still on legacy CentOS 6 or CloudLinux 6 need to follow the vendor’s direct-update guidance.

Technical summary

According to the vendor advisory, the issue is an unsafe symlink handling error. The practical impact is that a user may be able to change permissions on an arbitrary file via chmod, which can disrupt service and may create a path to privilege escalation. cPanel lists fixed versions for multiple release trains, including 11.136.0.9+, 11.134.0.25+, 11.132.0.31+, 11.130.0.22+, 11.126.0.58+, 11.124.0.37+, 11.118.0.66+, 11.110.0.117+, 11.102.0.41+, 11.94.0.30+, and 11.86.0.43+; WP Squared 11.136.1.11+ is also patched. For CentOS 6 or CloudLinux 6, the advisory states that 11.110.0.116 is available as a direct update.

Defensive priority

High for exposed or shared-hosting cPanel environments, because the flaw touches file permissions and the vendor explicitly calls out possible privilege escalation. Remediation is straightforward if a patched build is available, so upgrade priority should be elevated even without confirmed exploitation.

Recommended defensive actions

  • Upgrade cPanel & WHM to a fixed build in your release line as listed by the vendor.
  • Upgrade WP Squared to 11.136.1.11 or later if you use that product.
  • If you are on CentOS 6 or CloudLinux 6, follow the vendor’s direct-update instructions for 11.110.0.116.
  • Verify the installed build number after updating to ensure the patched version is active.
  • Review any local change-management or hardening controls that rely on file-permission isolation, especially on shared systems.

Evidence notes

This debrief is based on the vendor’s official security article for CVE-2026-29203, which states that an unsafe symlink handling error allowed chmod of an arbitrary file and lists the patched cPanel & WHM and WP Squared versions. The advisory was published on 2026-05-07T20:16:35Z and updated on 2026-05-11T20:00:06Z. No CVSS score was supplied in the provided corpus.

Official resources

Vendor advisory published 2026-05-07T20:16:35Z and updated 2026-05-11T20:00:06Z. This debrief uses the published CVE/advisory dates and does not infer an earlier issue date.