These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A security and maintenance update for EasyApache 4 (version 25.66) was released, addressing five CVEs, including four High-severity issues (CVE-2026-45447, CVE-2026-34180, CVE-2026-7383, CVE-2026-9076). The update patches ea-openssl11 to 1.1.1w-8 (for CentOS 7 only) with TuxCare/ELS backports and updates the Passenger ecosystem to v6.1.5. This release aims to enhance security and stability for users of cPanel/WHM.
A argument injection vulnerability in WP Toolkit before version 6.11.0, as bundled with cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization boundaries and execute arbitrary wp-toolkit CLI commands under the context of another account. The flaw exists in how WP Toolkit handles command-line arguments, permitting injection that subverts intended tenant isolation on multi-user [truncated]
cPanel released a security update for ea-nginx, moving the package to version 1.31.1 to address CVE-2026-9256. The vendor describes the issue as a security vulnerability tied to ea-nginx's ngx_http_rewrite_module and notes remote code execution risk through worker process memory pool handling ("nginx-poolslip"). Administrators running cPanel/WHM with ea-nginx installed should prioritize the update.
cPanel disclosed CVE-2026-32991 on 2026-05-13. According to the vendor advisory, a low-privilege team user with the default role could escalate to the owner account’s full capabilities through certain UAPI modules. The issue affects cPanel & WHM versions 110 and higher, and cPanel has released fixed builds across supported branches, plus a WP Squared fix. Because this is an authenticated privilege-escalat [truncated]
cPanel disclosed CVE-2026-29206 as a SQL injection issue in the sqloptimizer script affecting all cPanel & WHM versions. The vendor states patched releases are available for cPanel & WHM and WP Squared, and recommends extra upgrade-tier steps for customers still on CentOS 6 or CloudLinux 6.
CVE-2026-32993 is a vendor-reported vulnerability in cPanel’s cpsrvd service where an unauthenticated endpoint could allow arbitrary HTTP header insertion. cPanel says the issue affects cPanel & WHM versions 132 and higher and was patched in specific release lines published on 2026-05-13.
cPanel published a security update on 2026-05-13 for CVE-2026-32992. The vendor says SSL verification was not fully enforced in the DNS Cluster system, which could let a malicious server man-in-the-middle a request and capture credentials. cPanel released fixes in specific cPanel & WHM branches and in WP Squared, and states that later versions are also patched.
cPanel disclosed CVE-2026-29205 on 2026-05-13 and updated the advisory on 2026-05-14 with an additional fix. According to the vendor, incorrect privilege dropping combined with insufficient path filtering in certain cpdavd endpoints made it possible to read arbitrary files on affected cPanel & WHM systems. The issue affects cPanel & WHM version 120 and higher, and the vendor recommends moving to the patch [truncated]
cPanel’s EasyApache 4 25.60 update addresses CVE-2026-42945, described by the vendor as a critical heap buffer overflow in ngx_http_rewrite_module affecting ea-nginx versions v1.30.0 through v1.31.0. The release also rebuilds ea-nginx-echo, ea-nginx-headers-more, ea-nginx-passenger, and ea-nginx-njs against the patched nginx build. For organizations using EasyApache 4 with ea-nginx, this is a high-priorit [truncated]
CVE-2026-45185, also called Dead.Letter, is described as a use-after-free in Exim BDAT message body parsing when TLS is handled by GnuTLS. cPanel’s official advisory states its Exim build does not set USE_GNUTLS, depends on OpenSSL instead, and is not affected.
cPanel’s EasyApache 4 25.59 security release, published on 2026-05-12, explicitly includes a fix for CVE-2026-43515. In the supplied vendor material, cPanel does not describe the flaw’s root cause, affected component details, or exploitation impact for this CVE, so the safest interpretation is that it should be treated as a security-relevant update for EasyApache 4 users until exposure is ruled out in you [truncated]
CVE-2026-28387 is addressed in cPanel’s EasyApache 4 25.54 release, which delivers a security patch for ea-openssl11. The vendor advisory groups this issue with related OpenSSL package CVEs in the same update stream, so the practical response is to treat the EasyApache 4 package refresh as the fix path for affected cPanel/WHM systems.
cPanel’s EasyApache 4 25.58 security release, published on 2026-05-10, includes a fix for CVE-2026-6735 alongside several other CVEs. The vendor notice says updated packages were released for ea-php82, ea-php83, ea-php84, and ea-php85. The supplied advisory does not provide technical root-cause details for CVE-2026-6735, so the safest takeaway is operational: ensure the EasyApache 4 PHP packages are updat [truncated]
cPanel disclosed an unsafe symlink handling flaw in cPanel & WHM / WP Squared that could let a user chmod an arbitrary file. The vendor says this can cause denial of service and may enable privilege escalation, and it has released patched builds across supported branches.
On 2026-05-07, cPanel disclosed CVE-2026-29202, describing a Perl code injection issue in the create_user API call related to the plugin parameter. cPanel says fixed builds are available for affected cPanel & WHM branches, WP Squared 11.136.1.11 and later, and a direct 11.110.0.116 update for CentOS 6 or CloudLinux 6 systems. Administrators should prioritize upgrading any affected systems and verify that [truncated]
cPanel released a vendor security update for all supported cPanel & WHM versions that includes a fix for CVE-2026-29201, an arbitrary file read issue in the LOADFEATUREFILE adminbin call. The same update also addresses two additional vulnerabilities in cPanel & WHM, but this debrief focuses on the file-read issue tracked as CVE-2026-29201.
cPanel’s advisory groups CVE-2026-40684 through CVE-2026-40687 and says the underlying Exim issues affect versions prior to 4.99.2. cPanel has already released updated cpanel-exim 4.99.2 in patched cPanel/WHM builds, and administrators are advised to upgrade promptly. The source does not include exploit details, impact specifics, or a CVSS score for CVE-2026-40687.
cPanel’s advisory groups CVE-2026-40686 with three related Exim issues and says the fix is already available in updated cPanel/WHM builds. The vendor notes that Exim versions prior to 4.99.2 are affected and that upgrading cPanel/WHM to a patched release updates cpanel-exim to 4.99.2. The advisory does not provide separate technical details for CVE-2026-40686 by itself, so the most reliable defensive take [truncated]
cPanel’s advisory groups CVE-2026-40685 with three related Exim issues and states that versions of Exim prior to 4.99.2 are affected. For cPanel/WHM customers, the vendor says a patched Exim package is already available in specific builds, so the practical response is to move to the fixed cPanel/WHM release rather than waiting for a separate standalone remediation note.
cPanel’s advisory says Exim vulnerabilities affecting versions prior to 4.99.2 are fixed in updated cpanel-exim packages delivered through specific cPanel/WHM builds. Administrators running affected cPanel/WHM versions should upgrade to a patched release as soon as practical.
CVE-2026-24072 is a privilege-escalation issue in Apache HTTP Server that cPanel says affects version 2.4.66 and earlier. The vendor summary says local .htaccess authors may be able to read files with the privileges of the httpd user. Apache HTTP Server 2.4.67 is identified as the fixed release.
CVE-2026-23918 is a vendor-confirmed remote code execution issue called out in cPanel’s EasyApache 4 25.57 release notes. The advisory says ea-apache24 was updated to 2.4.67 to address 11 CVEs, including this one in mod_http2. For cPanel/WHM environments that use EasyApache 4, this is a high-priority security update because the affected component sits in the Apache package stack and the vendor characteriz [truncated]
cPanel’s EasyApache 4 25.53 release includes a security update for ea-ruby27-rubygem-rack that addresses CVE-2026-34830. The vendor notice does not provide additional vulnerability details in the supplied corpus, but it does confirm that affected EasyApache 4 package users should move to the updated release.
cPanel’s EasyApache 4 25.52 maintenance release includes a security update for ea-nghttp2 and identifies CVE-2026-27135 as the fixed issue. The vendor advisory does not provide technical detail about the flaw in the supplied corpus, but it does make clear that this release is part of a broader EasyApache update cycle that also includes other package refreshes and compatibility fixes.
cPanel’s EasyApache 4 25.49 release updates ea-valkey72 from Valkey 7.2.11 to 7.2.12 to address CVE-2026-21863, described by the vendor as a remote denial-of-service condition triggered by a malformed Valkey Cluster bus message. For environments that rely on the packaged Valkey component, this is primarily an availability fix and should be applied promptly.
cPanel’s EasyApache 4 25.46 security release includes a fix for CVE-2026-1642 in ea-nginx. The vendor describes the issue as an SSL backend injection problem and ships the remediation through updated nginx packages and related rebuilds. If you manage cPanel/WHM systems that use EasyApache 4, this is a security update worth applying promptly.
cPanel’s EasyApache 4 25.5 release is a vendor-official security update that references CVE-2025-0167 alongside other CVEs. The supplied source confirms remediation was delivered through updated EasyApache 4 packages, but it does not provide the underlying vulnerability details or clearly map this CVE to a specific component in the excerpt provided.
cPanel’s EasyApache 4 2024.11.13 release includes a security update for libcurl to address CVE-2024-9681. Based on the supplied vendor notice, this is a package-level remediation for EasyApache 4 users rather than a standalone cPanel feature change. The corpus does not provide vulnerability mechanics, affected version ranges, or a CVSS score, so the safest response is to treat this as a prompt security ma [truncated]
cPanel’s EasyApache 4 2024.9.18 release includes a security update to libcurl that addresses CVE-2024-8096. The vendor note does not provide technical specifics about the flaw in the supplied corpus, but it does confirm that updated EasyApache 4 packages are available and that libxml2, Pear, and ionCube 13 were also refreshed in the same release. Administrators should treat this as a required maintenance [truncated]
cPanel’s EasyApache 4 25.43 release includes Node.js updates that fix CVE-2025-55132. The vendor describes the issue as an HTTP Request Smuggling vulnerability in the Node.js permission model. For defenders, the key action is to verify whether EasyApache-managed Node.js packages are in use and apply the updated release promptly.
CVE-2025-14177 is an information leak issue in PHP’s getimagesize function that cPanel says was addressed in the EasyApache 4 25.41 security release. The vendor describes this as part of a critical security update spanning PHP 8.1 through 8.5. If your cPanel/WHM environment uses EasyApache 4-managed PHP packages, this is a high-priority update to apply and verify.
cPanel’s EasyApache 4 2024.12.18 release is a vendor-official security update that explicitly names CVE-2024-11053. In the supplied corpus, the advisory ties this CVE to security updates for libcurl and Tomcat 10.1, but it does not provide the flaw class, severity, or exploit details. The safest reading is straightforward: if your cPanel/WHM environment uses EasyApache 4 packages, this release should be t [truncated]
CVE-2025-61772 is referenced in cPanel’s EasyApache 4 25.31 release notes as part of a broader security update set. The supplied corpus does not identify the exact vulnerable package, flaw type, or severity, so the safest interpretation is that this is a vendor-released package update that should be applied promptly on cPanel/WHM systems using EasyApache 4.
cPanel’s EasyApache 4 25.20 release includes a security update for Tomcat 10.1 that addresses CVE-2025-48976. The provided vendor note confirms remediation through the package update, but it does not describe the underlying weakness. Administrators running cPanel/WHM with EasyApache 4 Tomcat 10.1 should treat this as a patching item and verify they are on the updated release.
cPanel’s EasyApache 4 25.28 release includes security updates for NGINX and libcurl to address CVE-2025-53859. The vendor note does not describe the underlying flaw, impact, or severity, so the safest reading is that this is a security fix affecting common web and client networking components delivered through EasyApache 4.
cPanel’s EasyApache 4 25.26 release includes security updates for NodeJS 20 and ModSecurity 2 that address CVE-2025-27210. The supplied vendor note does not describe the underlying flaw in technical detail, but it does confirm that this CVE is remediated through the EasyApache 4 update path. Administrators running cPanel/WHM environments that rely on EasyApache-managed NodeJS 20 or ModSecurity 2 packages [truncated]
cPanel’s EasyApache 4 25.24 is a vendor security release for Apache 2.4 that includes fixes for CVE-2025-53020 and seven additional CVEs. The supplied advisory confirms this is a security update, but it does not provide CVE-2025-53020-specific technical impact or severity details in the corpus provided here.
cPanel’s EasyApache 4 25.23 release includes Redis security updates that address CVE-2025-32023. The vendor advisory references this CVE directly, but the supplied source corpus does not describe the weakness, affected Redis versions, or exploitation conditions.
cPanel’s EasyApache 4 25.22 release is a vendor-official security update that lists CVE-2025-52891 among the issues addressed by updated PHP packages. The supplied advisory does not describe the underlying flaw, but it does indicate that remediation is available through the EasyApache 4 package update path.
cPanel’s EasyApache 4 25.18 release notes identify CVE-2025-47947 as one of the issues addressed in a security update to ModSecurity 2. In the supplied corpus, no CVSS score, exploit details, or impact description is provided for the CVE itself, so the safest interpretation is to treat this as a vendor-confirmed package-level security fix for EasyApache 4 deployments.
cPanel’s EasyApache 4 25.16 release includes security updates for NodeJS 20 and NodeJS 22 that address CVE-2025-23166. The vendor note also mentions package updates for Ruby Rack, Tomcat 10.1, and APR. The supplied source does not describe the underlying flaw, so the practical takeaway is to keep EasyApache 4 and its Node.js packages current.
cPanel’s EasyApache 4 25.12 release includes a security update for Tomcat 10.1 to address CVE-2025-31651. Based on the supplied vendor advisory, this is a confirmed remediation release, but the source corpus does not include the vulnerability’s technical details, impact, or severity score. Administrators using EasyApache 4 and Tomcat 10.1 should treat the update as important and review the vendor release [truncated]
CVE-2025-43921 is one of three Mailman vulnerabilities referenced by cPanel in a vendor security article published on 2025-04-22 and updated on 2025-04-29. In that advisory, cPanel said it was not aware of vulnerability in cPanel/WHM, briefly tested the proof-of-concept material, and could not reproduce the claims. After additional internal review and third-party subject-matter expert input, cPanel still [truncated]
cPanel’s official support article groups CVE-2025-43920 with CVE-2025-43919 and CVE-2025-43921 affecting Mailman 2.1.39. For cPanel/WHM customers, the vendor states it is not aware of confirmed impact, briefly tested the published PoCs without reproducing the claims, and later said internal and third-party review still could not validate them. Because the advisory does not provide a standalone technical r [truncated]
cPanel’s official guidance for the Mailman 2.1.39 advisory does not confirm that cPanel/WHM is affected by CVE-2025-43919. The vendor says it briefly tested the reported proof-of-concept material and later investigated the claims internally and with third-party subject-matter experts, but was unable to reproduce them using the information provided. The article was updated on 2025-04-28, and the supplied s [truncated]
cPanel’s EasyApache 4 25.14 release notes list security updates for libxml2 and Valkey that address CVE-2025-32415, alongside two other CVEs. The supplied source does not provide the affected version range, component-to-CVE mapping, severity, or exploitation details, so this should be treated as a vendor-published security maintenance update rather than a fully characterized vulnerability advisory.
cPanel’s EasyApache 4 25.10 release notes say the update includes security fixes for PHP 8.1, 8.2, 8.3, and 8.4, including CVE-2025-1736. The provided source does not describe the vulnerability class, impact, or severity, so defenders should treat it as a vendor-confirmed PHP security issue affecting EasyApache 4 deployments until the official CVE record or NVD entry is reviewed.
cPanel’s EasyApache 4 25.9 release is a vendor security update for cPanel/WHM environments. The advisory says updated packages for EasyApache 4 include security fixes for Ruby Rack and Tomcat to address CVE-2025-27610 and CVE-2024-56337. The supplied source does not specify which component maps to which CVE, so the safest reading is that this release should be treated as the vendor-recommended remediation [truncated]
cPanel’s official EasyApache 4 25.8 release notes say the update includes a security fix for Ruby Rack that addresses CVE-2025-27111. The supplied source does not describe the vulnerability class, impact, or severity, so the safest interpretation is to treat this as a vendor-confirmed patch release for EasyApache 4 users and verify that the updated packages are installed.
cPanel’s EasyApache 4 25.7 release includes a security update for Passenger that addresses CVE-2025-26803. The vendor advisory also notes updated packages for Tomcat 10.1, NodeJS 18, and Memcached 1.6. Based on the supplied source corpus, the actionable takeaway is straightforward: operators running cPanel/WHM with EasyApache 4 should verify they have the 25.7 release or later applied so the Passenger fix [truncated]