PatchSiren cyber security CVE debrief
CVE-2026-42945 cPanel CVE debrief
cPanel’s EasyApache 4 25.60 update addresses CVE-2026-42945, described by the vendor as a critical heap buffer overflow in ngx_http_rewrite_module affecting ea-nginx versions v1.30.0 through v1.31.0. The release also rebuilds ea-nginx-echo, ea-nginx-headers-more, ea-nginx-passenger, and ea-nginx-njs against the patched nginx build. For organizations using EasyApache 4 with ea-nginx, this is a high-priority security update.
- Vendor
- cPanel
- Product
- cPanel/WHM
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-14
- Advisory published
- Unknown
- Advisory updated
- Unknown
Who should care
Administrators of cPanel/WHM servers using EasyApache 4, especially systems that install or depend on ea-nginx and the related ea-nginx-* packages. Security teams responsible for internet-facing web servers should treat this as a prompt patching item.
Technical summary
According to the vendor advisory text supplied in the corpus, the issue is a heap buffer overflow in ngx_http_rewrite_module within ea-nginx, affecting versions v1.30.0 to v1.31.0. cPanel states the security release rebuilds related EasyApache 4 nginx packages against the patched version. No additional technical details, trigger conditions, or exploit mechanics were provided in the supplied sources.
Defensive priority
High priority. The supplied CVSS score is 8.1 (HIGH), and the vendor describes the flaw as Critical. Systems running affected ea-nginx versions should be updated as soon as practical.
Recommended defensive actions
- Update cPanel/WHM EasyApache 4 packages to the fixed release referenced by the vendor advisory.
- Verify whether ea-nginx is installed on any production or exposed hosts, and confirm the installed version is outside the affected range v1.30.0 to v1.31.0.
- Rebuild or refresh dependent EasyApache 4 packages so they are linked against the patched nginx build, as the advisory indicates for ea-nginx-echo, ea-nginx-headers-more, ea-nginx-passenger, and ea-nginx-njs.
- Prioritize internet-facing systems and any hosts that handle untrusted web traffic.
- Monitor vendor release notes and change logs for any follow-on fixes or package-specific guidance.
Evidence notes
Evidence is limited to the supplied vendor advisory summary and the CVE metadata. The vendor text states: EasyApache 4 25.60 security update addresses CVE-2026-42945, a critical heap buffer overflow in ngx_http_rewrite_module, affecting ea-nginx v1.30.0 to v1.31.0, and rebuilds related ea-nginx packages against the patched version. The supplied CVE metadata lists CVSS 8.1 HIGH and a published date of 2026-05-13T14:12:43.971Z.
Official resources
-
CVE-2026-42945 CVE record
CVE.org
-
CVE-2026-42945 NVD detail
NVD
-
Vendor advisory source
cpanel_changelog_rss
Public vendor advisory; no exploit code or weaponized reproduction details are included here.