Webpros Cpanel vulnerabilities
9 known vulnerabilities affecting webpros/cpanel.
Total CVEs
9
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH8
Vulnerabilities
Page 1 of 1
CVE-2026-41940P1CRITICALCVSS 9.8KEVPoCRansomware≥ 11.40.0.0, < 11.86.0.41≥ 11.88.0.0, < 11.94.0.28+9 more2026-04-29
CVE-2026-41940 [CRITICAL] CWE-306 CVE-2026-41940: cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
nvd
CVE-2026-29205P2HIGHCVSS 8.6≥ 11.136.0.0, < 11.136.0.10≥ 11.134.0.0, < 11.134.0.26+4 more2026-05-13
CVE-2026-29205 [HIGH] CWE-250 CVE-2026-29205: Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the
Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
nvd
CVE-2026-29202P2HIGHCVSS 8.8≥ 11.136.0.0, < 11.136.0.9≥ 11.134.0.0, < 11.134.0.25+9 more2026-05-08
CVE-2026-29202 [HIGH] CWE-94 CVE-2026-29202: Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
nvd
CVE-2026-29203P2HIGHCVSS 8.8≥ 11.136.0.0, < 11.136.0.9≥ 11.134.0.0, < 11.134.0.25+9 more2026-05-08
CVE-2026-29203 [HIGH] CWE-61 CVE-2026-29203: A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
nvd
CVE-2026-32993P3HIGHCVSS 8.3≥ 11.132.0.0, < 11.132.0.32≥ 11.134.0.0, < 11.134.0.26+1 more2026-05-13
CVE-2026-32993 [HIGH] CWE-93 CVE-2026-32993: Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allo
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
nvd
CVE-2026-29201P3HIGHCVSS 8.6≥ 11.136.0.0, < 11.136.0.9≥ 11.134.0.0, < 11.134.0.25+9 more2026-05-08
CVE-2026-29201 [HIGH] CWE-23 CVE-2026-29201: Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call c
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
nvd
CVE-2026-29206P3HIGHCVSS 8.1≥ 11.136.0.0, < 11.136.0.10≥ 11.134.0.0, < 11.134.0.26+9 more2026-05-13
CVE-2026-29206 [HIGH] CWE-89 CVE-2026-29206: Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
nvd
CVE-2026-32992P3HIGHCVSS 8.2≥ 11.136.0.0, < 11.136.0.10≥ 11.134.0.0, < 11.134.0.26+3 more2026-05-13
CVE-2026-32992 [HIGH] CWE-295 CVE-2026-32992: SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to m
SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
nvd
CVE-2026-32991P3HIGHCVSS 7.1≥ 11.136.0.0, < 11.136.0.10≥ 11.134.0.0, < 11.134.0.26+6 more2026-05-13
CVE-2026-32991 [HIGH] CWE-863 CVE-2026-32991: Improper authorization checks of team members privileges allow a team member to escalate privileges
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
nvd