On May 9, 2026, a whopping 234,000 web servers are affected by three newly discovered vulnerabilities in cPanel and Web Host Manager (WHM), as reported by The Hacker News. The vulnerabilities, identified as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, were discovered by the cPanel security team, which has since released patches to address the issues.
Key Takeaways
- Three new vulnerabilities have been discovered in cPanel and WHM.
- The vulnerabilities could be exploited to achieve privilege escalation, code execution, and denial-of-service.
- 234,000 web servers are affected by the vulnerabilities.
- cPanel has released patches to address the issues.
cPanel and WHM Vulnerabilities
The three newly discovered vulnerabilities are classified as critical, according to the Common Vulnerability Scoring System (CVSS). The vulnerabilities are:
- CVE-2026-29201 (CVSS score: 4.3): An insufficient input validation of the feature file name in the “feature::LOADFEATUREFILE” adminbin call that could result in arbitrary file execution.
- CVE-2026-29202 (CVSS score: 5.5): An authentication bypass vulnerability in the WHM interface that could allow an attacker to access sensitive information.
- CVE-2026-29203 (CVSS score: 6.5): A denial-of-service vulnerability in the cPanel interface that could cause the service to crash.
Impact of the Vulnerabilities
The vulnerabilities could be exploited by attackers to achieve privilege escalation, code execution, and denial-of-service. This could allow attackers to gain unauthorized access to sensitive information, execute malicious code, or bring down the entire service.
CVE-2026-29201, while rated lower on the CVSS scale, poses a serious risk due to its ability to trigger arbitrary file execution. An attacker who exploits this flaw could upload a malicious file with a crafted name and execute it through the adminbin interface, which traditionally runs with elevated privileges. This could lead to full server compromise, especially on systems where adminbin scripts are not properly isolated.
CVE-2026-29202 is more dangerous in shared hosting environments. The authentication bypass flaw allows an unauthenticated user to access WHM endpoints that should require administrative credentials. This could expose server configurations, SSL certificates, account lists, and reseller permissions. In multi-tenant setups, where users are isolated by design, this vulnerability breaks the trust boundary between tenants.
CVE-2026-29203, the highest-severity flaw, allows a remote attacker to crash the cPanel service through repeated malformed requests. While it doesn’t grant access, it can be weaponized in sustained denial-of-service campaigns. A single attacker could disrupt service for thousands of websites hosted on a single server. In automated attacks, bots could trigger this repeatedly, making recovery difficult without patching.
The combined impact of these flaws means an attacker could potentially gain control, steal data, and disable recovery mechanisms—all within minutes of initial access.
Historical Context
cPanel has been a cornerstone of web hosting since its release in 1997. Over two decades, it’s evolved from a simple control panel into a full-featured server management suite used by hosting providers, small businesses, and individual developers. Its widespread adoption—powering nearly a quarter million servers in 2026—makes it a high-value target.
Security flaws in cPanel aren’t new. In 2021, CVE-2021-2996 allowed remote code execution through a flaw in the cPanel Update System. That vulnerability led to mass exploitation within days of disclosure, with attackers deploying cryptocurrency miners and backdoors. In 2023, a privilege escalation bug (CVE-2023-2917) allowed standard users to gain root access, affecting over 180,000 servers.
Each incident followed a similar pattern: rapid disclosure, emergency patching, and a race between defenders and attackers. In 2024, researchers noted that unpatched cPanel servers remained exposed for an average of 11 days post-patch—long enough for automated scanning tools to identify and exploit them.
The 2026 vulnerabilities echo these past issues. CVE-2026-29201 bears similarity to CVE-2021-2996 in that both involve improper handling of file inputs in privileged scripts. CVE-2026-29202 mirrors earlier authentication bypass flaws seen in 2018 and 2020, where weak session validation allowed unauthorized access to admin interfaces.
What’s different now is scale and speed. Attackers use real-time scanning platforms like Shodan and Censys to detect exposed cPanel instances. Within hours of a vulnerability disclosure, bots begin probing for unpatched systems. The 234,000 servers at risk in 2026 represent a larger attack surface than in previous years, partly due to cPanel’s continued dominance in shared hosting and budget VPS markets.
cPanel Response
In response to the discovery of the vulnerabilities, the cPanel security team has released patches to address the issues. These patches are available for download on the cPanel website.
The fixes involve tightening input validation in the feature::LOADFEATUREFILE handler, reinforcing authentication checks in WHM’s API endpoints, and adding rate-limiting and input sanitization to prevent service crashes in cPanel. cPanel also pushed automatic update notifications to all managed servers and posted alerts on its status dashboard.
The security team emphasized that CVE-2026-29202 and CVE-2026-29203 could be exploited without authentication, making them particularly urgent. They advised disabling public access to WHM ports (2087 and 2083) unless absolutely necessary and restricting access via IP whitelisting.
Patches were rolled out across all supported versions: cPanel & WHM version 104, 106, and 108. Users on end-of-life versions were urged to upgrade immediately, as no backported fixes were provided. The company also released detection scripts to help administrators check if their systems had been compromised prior to patching.
What This Means For You
If you are using cPanel and WHM, patch your system as soon as possible to prevent exploitation of the vulnerabilities. This will ensure that your system remains secure and protected from potential attacks.
For developers managing their own hosting environments, this is more than a routine update. It’s a stress test of your patch management process. If you rely on manual updates, there’s a real chance your server stays exposed for hours—or days—after a patch drops. That’s often all an attacker needs.
Consider a small SaaS startup running on a VPS with cPanel. They host their app, customer dashboards, and internal tools on the same server. A delay in applying the CVE-2026-29202 patch could let an attacker bypass authentication and access WHM. From there, they could extract database credentials, modify DNS settings, or create new admin accounts. Even if the main app is secure, the control panel becomes the weak link.
For a web hosting founder managing thousands of customer accounts, the stakes are higher. An unpatched server could be used to distribute malware to every hosted website. Google might flag all associated domains as unsafe. Customers would leave. Reputational damage could take years to repair. In extreme cases, regulatory scrutiny could follow if customer data is compromised.
A third scenario involves a freelance developer managing sites for clients. They might not have root access or control over server updates. In this case, their responsibility shifts to awareness and escalation. They need to contact their host, confirm the patch status, and advise clients to avoid logging in until the system is secure. Communication becomes part of the defense strategy.
Automating updates is a step forward, but it’s not foolproof. Some patches can break custom scripts or plugins. That’s why testing in a staging environment matters. But in critical security cases like these, the risk of downtime from a patch is often lower than the risk of remaining exposed.
Competitive Landscape
The cPanel vulnerabilities come at a time when alternatives are gaining traction. Platforms like Plesk, ISPConfig, and open-source tools like VestaCP and Sentora offer similar functionality with smaller footprints and different security models.
Plesk, for example, has invested heavily in containerized deployments and role-based access controls. Its recent versions run services in isolated environments, reducing the blast radius of any single flaw. While Plesk has had its own vulnerabilities, none in the past two years have reached the severity or exploitability of the 2026 cPanel flaws.
Cloud providers are also shifting the landscape. AWS and Google Cloud promote managed solutions like Lightsail and Cloud Run, which reduce reliance on traditional control panels. These platforms handle patching automatically, abstracting server management from the user. For many developers, that’s a trade-off worth making—less control, but fewer security headaches.
Hosting providers are responding too. Some have started migrating customers to custom-built control panels with minimal attack surfaces. Others are adopting infrastructure-as-code practices, where servers are ephemeral and rebuilt from templates on every update. This “replace, don’t patch” model eliminates configuration drift and ensures consistency.
Still, cPanel remains dominant. Its interface is familiar, its ecosystem of plugins is vast, and migration is costly and time-consuming. For now, most organizations will continue to depend on it—meaning they must also invest in rapid response capabilities.
What Happens Next
Patching is just the beginning. The real test comes in the days and weeks after disclosure. Security researchers and attackers alike will analyze the patches to reverse-engineer the exploits. Proof-of-concept code could appear on public forums within 48 hours.
Once weaponized, the vulnerabilities will be added to automated scanning tools. Shodan queries for “cPanel” and port 2083 will spike. Attackers will target not just large hosts, but also forgotten development servers, test environments, and personal projects—systems that often go unpatched for months.
Organizations should assume compromise is possible, even after patching. Logs from May 8 onward should be reviewed for suspicious activity: unexpected file uploads, failed login spikes, or abnormal CPU usage. The cPanel team’s detection scripts can help, but manual inspection of access logs and cron jobs is still essential.
Longer term, this incident will likely push more teams toward automated patch management and zero-trust architectures. It may also accelerate the decline of monolithic control panels in favor of modular, API-driven systems.
One thing’s certain: vulnerabilities like these won’t be the last. cPanel’s architecture, built over decades, carries technical debt that’s hard to unwind. As long as it’s widely used, it will remain a target. Staying ahead means more than applying patches—it means rethinking how we manage and secure the infrastructure beneath our applications.
Sources: The Hacker News
