CVE-2026-29202

HIGH

cPanel 11.86.0.0-11.136.0.8 - Authenticated Perl Code Injection via create_user Plugin

Title source: llm

Description

Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.

References (1)

Core 1

Core References

https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026

Scores

CVSS v3 8.8

EPSS 0.0083

EPSS Percentile 52.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (16)

WebPros/cPanel 11.102.0.0 - 11.102.0.41

WebPros/cPanel 11.110.0.0 - 11.110.0.116

WebPros/cPanel 11.110.0.0 - 11.110.0.117

WebPros/cPanel 11.118.0.0 - 11.118.0.66

WebPros/cPanel 11.124.0.0 - 11.124.0.37

WebPros/cPanel 11.126.0.0 - 11.126.0.58

WebPros/cPanel 11.130.0.0 - 11.130.0.22

WebPros/cPanel 11.132.0.0 - 11.132.0.31

WebPros/cPanel 11.134.0.0 - 11.134.0.25

WebPros/cPanel 11.136.0.0 - 11.136.0.9

... and 6 more

Published May 08, 2026

Tracked Since May 09, 2026