webpros

Top products

The 14 most recently published vulnerabilities affecting webpros.

• CVE-2026-47365Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit ...9.9Jun 12, 2026
• CVE-2026-44962Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This a...9.9May 29, 2026
• CVE-2026-32999Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the a...9.0May 28, 2026
• CVE-2026-32991Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.7.1May 13, 2026
• CVE-2026-29206Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.8.1May 13, 2026
• CVE-2026-32993Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.8.3May 13, 2026
• CVE-2026-32992SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.8.2May 13, 2026
• CVE-2026-29205Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.8.6May 13, 2026
• CVE-2026-29204Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorize...9.1May 12, 2026
• CVE-2026-29203A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege ...8.8May 8, 2026
• CVE-2026-29202Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.8.8May 8, 2026
• CVE-2026-29201Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.8.6May 8, 2026
• CVE-2026-41940WebPros cPanel and WHM Authentication Bypass via Login FlowKEV9.8Apr 29, 2026
• CVE-2025-65518Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a ...7.5Jan 8, 2026