- 131/2026
- High
cPanel has released security updates to address several vulnerabilities affecting multiple cPanel & WHM versions, as well as the third-party mail transfer agent Exim.
The addressed vulnerabilities could allow the attacker to conduct denial-of-service or man-in-the-middle attacks, obtain sensitive information, gain elevated privileges, execute arbitrary code, and gain access to the affected products.
Sample of the addressed vulnerabilities:
1. cPanel & WHM/WP2 Unsafe Symlink Handling Vulnerability (CVE-2026-29203):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Denial of Service
2. cPanel & WHM/WP2 Disabled SSL Verification in the DNS Cluster System Vulnerability (CVE-2026-32992):
- CVSS: 8.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Man-in-the-Middle
Vulnerabilities
- CVE-2026-29201
- CVE-2026-29202
- CVE-2026-29203
- CVE-2026-29205
- CVE-2026-29206
- CVE-2026-32991
- CVE-2026-32992
- CVE-2026-32993
- CVE-2026-40684
- CVE-2026-40685
- CVE-2026-40686
- CVE-2026-40687
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.