CVE-2026-48172

CRITICAL KEV

LiteSpeed cPanel Plugin < 2.4.5 - Privilege Escalation via Redis Feature Mishandling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-48172 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 26, 2026. EIP tracks 3 public exploits from researchers including retmakarunia, fevar54, HORKimhab.

AI-analyzed exploit summary The repository contains only a minimal README with no technical details or exploit code. The content appears to be a placeholder or joke ('PRANK WKWK').

Description

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

Exploits (3)

github STUB 1 stars
by retmakarunia · poc
https://github.com/retmakarunia/CVE-2026-48172

The repository contains only a minimal README with no technical details or exploit code. The content appears to be a placeholder or joke ('PRANK WKWK').

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed May 24, 2026 Full analysis →
github SCANNER
by fevar54 · pythonpoc
https://github.com/fevar54/CVE-2026-48172---LiteSpeed-cPanel-Plugin-Version-Auditor

This repository contains a Python script that audits the local version of the LiteSpeed cPanel plugin to determine if it is vulnerable to CVE-2026-48172. It checks version metadata files and compares the detected version against the known vulnerable version (2.4.7).

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: LiteSpeed cPanel Plugin (Versions prior to 2.4.7)
Auth required
Prerequisites: Root or administrative access to read cPanel plugin metadata files · Python 3.8 or higher
devstral-2 · analyzed May 28, 2026 Full analysis →
github STUB
by HORKimhab · remote
https://github.com/HORKimhab/CVE-2026-48172

The repository contains only boilerplate legal disclaimers, a license file, and a template file with no actual exploit code or technical details about CVE-2026-48172.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed May 23, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0796
EPSS Percentile 92.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-05-26
VulnCheck KEV 2026-05-21
ENISA EUVD EUVD-2026-31204
CWE
CWE-266
Status published
Products (5)
LiteSpeed Technologies/cPanel Plugin 2.3 - 2.4.5
LiteSpeed Technologies/cPanel Plugin 2.3 - 2.4.7
LiteSpeed Technologies/WHM Plugin < 5.3.1.0
litespeedtech/litespeed_cpanel_plugin < 2.4.7
litespeedtech/litespeed_whm_plugin < 5.3.1.0
Published May 21, 2026
KEV Added May 26, 2026
Tracked Since May 21, 2026