Critical cPanel and WHM Vulnerabilities: 3 Urgent Patches You Must Apply

If you manage web hosting servers, you already know how vital cPanel and Web Host Manager (WHM) are. Recently, cPanel released emergency updates to fix three vulnerabilities that could allow attackers to escalate privileges, execute arbitrary code, or crash your system. These flaws affect both cPanel and WHM, so patching is not optional—it's mandatory. Below is a breakdown of each vulnerability and what you need to do to secure your servers.

1. CVE-2026-29201 — Insufficient Input Validation in Adminbin Call

The first vulnerability, tracked as CVE-2026-29201, carries a CVSS score of 4.3 (medium severity). It stems from insufficient input validation when processing the feature::LOADFEATUREFILE adminbin call. An attacker with limited access could craft a malicious request that forces cPanel to load an unauthorized feature file, potentially leading to privilege escalation or denial-of-service conditions. This bug does not require authentication to exploit in certain configurations, making it a real threat for shared hosting environments. Next item

2. Privilege Escalation via WHM API Endpoint

The second vulnerability (no CVE disclosed) resides in a WHM API endpoint that improperly validates user permissions. A low-level reseller or even a regular cPanel user might be able to trigger functions meant only for root-level administrators. This could allow an attacker to elevate their privileges and gain control over the entire WHM interface. Once exploited, the attacker could modify server settings, create new accounts, or install malicious modules. The fix tightens access controls and adds additional checks. Next item

3. Remote Code Execution Through Mail Delivery Agent

The third vulnerability affects cPanel's built-in mail delivery agent. An insufficient sanitization of email headers could enable an attacker to inject commands and achieve remote code execution on the server. This is the most critical of the three because it does not require any prior access—just the ability to send an email to a vulnerable account. Once code runs, the attacker could compromise the entire server, steal data, or launch further attacks. Update immediately to prevent exploitation. Back to top

Conclusion: These three vulnerabilities cover the full spectrum of web server threats: privilege escalation, code execution, and denial-of-service. The patches are available now in the latest cPanel & WHM builds. Do not delay—update your servers today. If you use automated update tools, verify they are functioning. For manual updates, log into WHM and navigate to Home > cPanel & WHM Updates. Always backup your configuration before applying patches. Stay secure.