CVE-2026-29205

HIGH

cPanel 11.120.0.0-11.136.0.9 Arbitrary File Read via cpdavd

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-29205. PoCs published by Unclecheng-li.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-29205, a CalDAV path-traversal vulnerability in cPanel/WHM, allowing arbitrary file reads as root. It includes a scanner for CVE-2026-41940 (authentication bypass) and an exploit chain for CVE-2026-29205, leveraging SMTP sub-addressing to create malicious maildir folders and exfiltrate files via CalDAV.

Description

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

Exploits (1)

github WORKING POC 359 stars

by Unclecheng-li · cpoc

https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-29205 cPanel2Shell-Scanner

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-29205, a CalDAV path-traversal vulnerability in cPanel/WHM, allowing arbitrary file reads as root. It includes a scanner for CVE-2026-41940 (authentication bypass) and an exploit chain for CVE-2026-29205, leveraging SMTP sub-addressing to create malicious maildir folders and exfiltrate files via CalDAV.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Complex

Reliability

Reliable

Target: cPanel/WHM (versions prior to 11.134.0.26)

No auth needed

Prerequisites: SMTP relay access for sending emails · target host running vulnerable cPanel/WHM · CalDAV service (cpdavd) accessible on ports 2079/2080

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 25, 2026 Full analysis →

References (1)

Core 1

Core References

https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026

Scores

CVSS v3 8.6

EPSS 0.0003

EPSS Percentile 9.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-250

Status published

Products (7)

WebPros/cPanel 11.120.0.0 - 11.124.0.38

WebPros/cPanel 11.126.0.0 - 11.126.0.59

WebPros/cPanel 11.130.0.0 - 11.130.0.23

WebPros/cPanel 11.132.0.0 - 11.132.0.32

WebPros/cPanel 11.134.0.0 - 11.134.0.26

WebPros/cPanel 11.136.0.0 - 11.136.0.10

WebPros/WP Squared 11.120.1.0 - 11.136.1.12

Published May 13, 2026

Tracked Since May 14, 2026