CVE-2026-29206 cPanel CVE debrief

Who should care

Administrators and hosting providers running cPanel & WHM or WP Squared, especially on systems that may still be on unpatched releases or legacy CentOS 6 / CloudLinux 6 upgrade tracks.

Technical summary

According to cPanel, the sqloptimizer script could create a SQL query in a way that allowed arbitrary SQL injection. The advisory states this affects all cPanel & WHM versions. Fixed builds listed by the vendor include cPanel & WHM 11.86.0.44, 11.94.0.31, 11.102.0.42, 11.110.0.118 (cl6110), 11.110.0.119, 11.118.0.67, 11.124.0.38, 11.126.0.59, 11.130.0.23, 11.132.0.32, and 11.134.0.26 and 11.136.0.10 or higher, plus WP Squared 11.136.1.12 or higher.

Defensive priority

High

Recommended defensive actions

• Upgrade cPanel & WHM to a fixed release listed in the vendor advisory, or to a later patched version.
• Upgrade WP Squared to version 11.136.1.12 or later if you use that product line.
• If you are still on CentOS 6 or CloudLinux 6, follow the vendor instruction to set the upgrade tier to cl6110 and then complete the required upgrade steps.
• Verify installed versions across all hosts and confirm they meet or exceed the vendor-fixed builds.
• Review vendor changelogs and related cPanel security advisories for any additional remediation guidance.

Evidence notes

Primary evidence is the vendor’s official security advisory for CVE-2026-29206, published 2026-05-13 and updated the same day in the source record. The advisory explicitly states the sqloptimizer issue, the affected product scope, and the fixed version thresholds. Official CVE and NVD links are included as canonical reference points; no additional unsupported details were used.

Official resources