Cpanel

This hub aggregates every CVE we track for Cpanel, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Cpanel.

• CVE-2026-9516Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws7.5Jun 3, 2026
• CVE-2026-9334Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled7.3Jun 3, 2026
• CVE-2026-32991Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.7.1May 13, 2026
• CVE-2026-29206Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.8.1May 13, 2026
• CVE-2026-32993Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.8.3May 13, 2026
• CVE-2026-32992SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.8.2May 13, 2026
• CVE-2026-29205Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.8.6May 13, 2026
• CVE-2026-29202Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.8.8May 8, 2026
• CVE-2026-29203A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege ...8.8May 8, 2026
• CVE-2026-29201Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.8.6May 8, 2026
• CVE-2026-41940WebPros cPanel and WHM Authentication Bypass via Login FlowKEV9.8Apr 29, 2026
• CVE-2025-66429An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation...8.8Dec 11, 2025
• CVE-2022-48623The Cpanel::JSON::XS package before 4.33 for Perl performs out-of-bounds accesses in a way that allows attackers to obtain sensitive information or cause a denial of service.9.1Feb 13, 2024
• CVE-2023-29489An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106....5.3Apr 27, 2023
• CVE-2021-38584The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).7.2Aug 11, 2021