PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32993 cPanel CVE debrief

CVE-2026-32993 is a vendor-reported vulnerability in cPanel’s cpsrvd service where an unauthenticated endpoint could allow arbitrary HTTP header insertion. cPanel says the issue affects cPanel & WHM versions 132 and higher and was patched in specific release lines published on 2026-05-13.

Vendor
cPanel
Product
cPanel/WHM
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-13
Advisory published
2026-05-13
Advisory updated
2026-05-13

Who should care

System administrators and security teams running cPanel & WHM or WP Squared, especially any server on a 132+ branch or a release older than the patched versions listed in the vendor advisory.

Technical summary

According to the official cPanel advisory, an unauthenticated endpoint in cpsrvd could accept input that results in insertion of arbitrary HTTP headers. The advisory does not provide further technical detail in the supplied source corpus beyond the affected product lines and fixed versions. cPanel states the issue is patched in cPanel & WHM 11.132.0.32 and higher, 11.134.0.26 and higher, 11.136.0.10 and higher, and WP Squared 11.136.1.12 and higher.

Defensive priority

High for exposed cPanel deployments, because the flaw is reachable without authentication and involves HTTP header manipulation in a core server component. The supplied source does not quantify impact or exploitation activity, so priority should be based on exposure and patch status rather than assumed severity.

Recommended defensive actions

  • Update cPanel & WHM or WP Squared to a patched release at or above the versions listed in the advisory.
  • If needed, run /scripts/upcp --force to apply the update.
  • Verify the installed version afterward with /usr/local/cpanel/cpanel -V.
  • Confirm the server is on a patched branch: cPanel & WHM 11.132.0.32+, 11.134.0.26+, 11.136.0.10+, or WP Squared 11.136.1.12+.
  • Review the latest cPanel changelogs for branch-specific release information.
  • Check for other security fixes bundled in the same release and schedule maintenance accordingly.

Evidence notes

The vendor advisory published on 2026-05-13 and last modified the same day states: “An unauthenticated endpoint in cpsrvd was found that could allow the insertion of arbitrary HTTP headers.” It also states the affected scope is cPanel & WHM versions 132 and higher, and lists fixed versions for cPanel & WHM and WP Squared. No CVSS score, exploit details, or exploitation activity were included in the supplied source corpus.

Official resources

Vendor advisory published 2026-05-13 12:44:56 UTC and modified 2026-05-13 20:16:35 UTC; use those timestamps as the issue timeline in this debrief.