CVE-2026-29201
published 2026-05-08CVE-2026-29201: Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is…
PriorityP352high8.6CVSS 3.1
AVNACLPRNUINSUCHILAL
EPSS
0.43%
34.8th percentile
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webpros | cpanel | >= 11.102.0.0 < 11.102.0.41 | 11.102.0.41 |
| webpros | cpanel | >= 11.110.0.0 < 11.110.0.117 | 11.110.0.117 |
| webpros | cpanel | >= 11.118.0.0 < 11.118.0.66 | 11.118.0.66 |
| webpros | cpanel | >= 11.124.0.0 < 11.124.0.37 | 11.124.0.37 |
| webpros | cpanel | >= 11.126.0.0 < 11.126.0.58 | 11.126.0.58 |
| webpros | cpanel | >= 11.130.0.0 < 11.130.0.22 | 11.130.0.22 |
| webpros | cpanel | >= 11.132.0.0 < 11.132.0.31 | 11.132.0.31 |
| webpros | cpanel | >= 11.134.0.0 < 11.134.0.25 | 11.134.0.25 |
| webpros | cpanel | >= 11.136.0.0 < 11.136.0.9 | 11.136.0.9 |
| webpros | cpanel | >= 11.86.0.0 < 11.86.0.43 | 11.86.0.43 |
| webpros | cpanel | >= 11.94.0.0 < 11.94.0.30 | 11.94.0.30 |
| webpros | wp_squared | >= 11.136.1.0 < 11.136.1.11 | 11.136.1.11 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WebPros cPanel/WP Squared feature::LOADFEATUREFILE path traversal
vuldb·2026-05-08·CVSS 4.3
CVE-2026-29201 [MEDIUM] WebPros cPanel/WP Squared feature::LOADFEATUREFILE path traversal
A vulnerability identified as problematic has been detected in WebPros cPanel and WP Squared. Affected by this vulnerability is the function feature::LOADFEATUREFILE. This manipulation causes relative path traversal.
The identification of this vulnerability is CVE-2026-29201. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
GHSA
GHSA-c3fx-j4hr-97w5: Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file
ghsa_unreviewed·2026-05-08
CVE-2026-29201 [MEDIUM] CWE-20 GHSA-c3fx-j4hr-97w5: Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Hackernews
cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
blogs_hackernews·2026-05-09·CVSS 4.3
CVE-2026-29201 [MEDIUM] cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service.
The list of vulnerabilities is as follows -
CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read.
CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could res
2026-05-08
Published