CVE-2026-29202
published 2026-05-08CVE-2026-29202: Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.83%
53.0th percentile
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webpros | cpanel | >= 11.102.0.0 < 11.102.0.41 | 11.102.0.41 |
| webpros | cpanel | >= 11.110.0.0 < 11.110.0.117 | 11.110.0.117 |
| webpros | cpanel | >= 11.118.0.0 < 11.118.0.66 | 11.118.0.66 |
| webpros | cpanel | >= 11.124.0.0 < 11.124.0.37 | 11.124.0.37 |
| webpros | cpanel | >= 11.126.0.0 < 11.126.0.58 | 11.126.0.58 |
| webpros | cpanel | >= 11.130.0.0 < 11.130.0.22 | 11.130.0.22 |
| webpros | cpanel | >= 11.132.0.0 < 11.132.0.31 | 11.132.0.31 |
| webpros | cpanel | >= 11.134.0.0 < 11.134.0.25 | 11.134.0.25 |
| webpros | cpanel | >= 11.136.0.0 < 11.136.0.9 | 11.136.0.9 |
| webpros | cpanel | >= 11.86.0.0 < 11.86.0.43 | 11.86.0.43 |
| webpros | cpanel | >= 11.94.0.0 < 11.94.0.30 | 11.94.0.30 |
| webpros | wp_squared | >= 11.136.1.0 < 11.136.1.11 | 11.136.1.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for exploitation of the `plugin` parameter in the `create_user` API call, which allows injection of arbitrary Perl code executed as the authenticated account's system user. ↗
- →Alert on cPanel/WHM API calls to `create_user` where the `plugin` parameter contains Perl code constructs (e.g., semicolons, backticks, system(), exec(), or eval() patterns) indicative of code injection attempts. ↗
- ·Exploitation requires prior authentication; the injected Perl code runs as the authenticated account's system user, not necessarily root. Scope of impact depends on the privilege level of the authenticated user. ↗
- ·No evidence of in-the-wild exploitation reported for CVE-2026-29202 at time of disclosure. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WebPros cPanel/WP Sqaured create_user plugin privilege escalation
vuldb·2026-05-08·CVSS 8.8
CVE-2026-29202 [HIGH] WebPros cPanel/WP Sqaured create_user plugin privilege escalation
A vulnerability labeled as critical has been found in WebPros cPanel and WP Sqaured. Affected by this issue is the function create_user. Such manipulation of the argument plugin leads to privilege escalation.
This vulnerability is referenced as CVE-2026-29202. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
GHSA
GHSA-4jrh-q927-mvfj: Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already auth
ghsa_unreviewed·2026-05-08
CVE-2026-29202 [HIGH] CWE-20 GHSA-4jrh-q927-mvfj: Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already auth
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Hackernews
cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
blogs_hackernews·2026-05-09·CVSS 4.3
CVE-2026-29201 [MEDIUM] cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service.
The list of vulnerabilities is as follows -
CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read.
CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could res
2026-05-08
Published