cbcvebase.

Webpros Cpanel vulnerabilities

9 known vulnerabilities affecting webpros/cpanel.

Total CVEs
9
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH8

Vulnerabilities

Page 1 of 1
CVE-2026-41940P1CRITICALCVSS 9.8KEVPoCRansomware≥ 11.40.0.0, < 11.86.0.41≥ 11.88.0.0, < 11.94.0.28+9 more2026-04-29
CVE-2026-41940 [CRITICAL] CWE-306 CVE-2026-41940: cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
nvd
CVE-2026-29205P2HIGHCVSS 8.6≥ 11.136.0.0, < 11.136.0.10≥ 11.134.0.0, < 11.134.0.26+4 more2026-05-13
CVE-2026-29205 [HIGH] CWE-250 CVE-2026-29205: Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
nvd
CVE-2026-29202P2HIGHCVSS 8.8≥ 11.136.0.0, < 11.136.0.9≥ 11.134.0.0, < 11.134.0.25+9 more2026-05-08
CVE-2026-29202 [HIGH] CWE-94 CVE-2026-29202: Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
nvd
CVE-2026-29203P2HIGHCVSS 8.8≥ 11.136.0.0, < 11.136.0.9≥ 11.134.0.0, < 11.134.0.25+9 more2026-05-08
CVE-2026-29203 [HIGH] CWE-61 CVE-2026-29203: A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
nvd
CVE-2026-32993P3HIGHCVSS 8.3≥ 11.132.0.0, < 11.132.0.32≥ 11.134.0.0, < 11.134.0.26+1 more2026-05-13
CVE-2026-32993 [HIGH] CWE-93 CVE-2026-32993: Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allo Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
nvd
CVE-2026-29201P3HIGHCVSS 8.6≥ 11.136.0.0, < 11.136.0.9≥ 11.134.0.0, < 11.134.0.25+9 more2026-05-08
CVE-2026-29201 [HIGH] CWE-23 CVE-2026-29201: Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call c Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
nvd
CVE-2026-29206P3HIGHCVSS 8.1≥ 11.136.0.0, < 11.136.0.10≥ 11.134.0.0, < 11.134.0.26+9 more2026-05-13
CVE-2026-29206 [HIGH] CWE-89 CVE-2026-29206: Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
nvd
CVE-2026-32992P3HIGHCVSS 8.2≥ 11.136.0.0, < 11.136.0.10≥ 11.134.0.0, < 11.134.0.26+3 more2026-05-13
CVE-2026-32992 [HIGH] CWE-295 CVE-2026-32992: SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to m SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
nvd
CVE-2026-32991P3HIGHCVSS 7.1≥ 11.136.0.0, < 11.136.0.10≥ 11.134.0.0, < 11.134.0.26+6 more2026-05-13
CVE-2026-32991 [HIGH] CWE-863 CVE-2026-32991: Improper authorization checks of team members privileges allow a team member to escalate privileges Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
nvd
Webpros Cpanel vulnerabilities | cvebase