CVE-2026-29201

HIGH

cPanel 11.86.0-11.136.0 - Unauthenticated Arbitrary File Read via feature::LOADFEATUREFILE

Title source: llm

Description

Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

References (1)

Core 1

Core References

https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026

Scores

CVSS v3 8.6

EPSS 0.0043

EPSS Percentile 34.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-23

Status published

Products (17)

WebPros/cPanel 11.102.0.0 - 11.102.0.41

WebPros/cPanel 11.110.0.0 - 11.110.0.116

WebPros/cPanel 11.110.0.0 - 11.110.0.117

WebPros/cPanel 11.118.0.0 - 11.118.0.66

WebPros/cPanel 11.124.0.0 - 11.124.0.37

WebPros/cPanel 11.126.0.0 - 11.126.0.58

WebPros/cPanel 11.130.0.0 - 11.130.0.22

WebPros/cPanel 11.132.0.0 - 11.132.0.31

WebPros/cPanel 11.134.0.0 - 11.134.0.25

WebPros/cPanel 11.136.0.0 - 11.136.0.9

... and 7 more

Published May 08, 2026

Tracked Since May 09, 2026