1. Main page
  2. Announcements
  3. URGENT: cPanel Security Update Required - Critical Vulnerabilities Patched (May 8, 2026)

URGENT: cPanel Security Update Required - Critical Vulnerabilities Patched (May 8, 2026)

8 May 2026

Based on the cPanel 134 changelog, I don't see any entries for today (May 8, 2026). The most recent update listed is version 134.0.23 from May 3, 2026, which addressed Exim vulnerabilities (CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687).reddit

However, based on your earlier query about CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 being released today, here's a WHMCS announcement draft for those vulnerabilities:

WHMCS Announcement Draft:

Subject: URGENT: cPanel Security Update Required - Critical Vulnerabilities Patched (May 8, 2026)

Category: Security Alert
Priority: Critical

Dear Valued Customers,

cPanel has released an emergency security update today (May 8, 2026) addressing three critical vulnerabilities that affect all supported cPanel & WHM versions. Immediate action is required.

Vulnerabilities Addressed

This security patch fixes the following issues:

  • CVE-2026-29201 - Arbitrary File Read: A vulnerability in the LOADFEATUREFILE adminbin call allows attackers to read sensitive files on the server through relative path manipulation

  • CVE-2026-29202 - Perl Code Injection: A code injection flaw in the create_user API call's plugin parameter enables execution of malicious code

  • CVE-2026-29203 - Privilege Escalation: Unsafe symlink handling permits users to modify file permissions on arbitrary files, potentially leading to denial of service and root access

Required Action

All servers must be updated immediately. To apply this critical security patch:

  1. Log in to WHM as root

  2. Run the update command: /scripts/upcp

  3. Verify your server updates to the patched version

Or allow automatic updates to apply the patch (if enabled on your server).

Timeline

  • Patch Released: May 8, 2026, 12:00 PM EST

  • Action Required: Immediate

Our Response

For managed hosting customers: Our team is already applying this patch across all managed servers. You do not need to take action.

For unmanaged/self-managed VPS and dedicated server customers: You are responsible for applying this update immediately. If you need assistance, please open a support ticket.

Questions?

If you have any questions or need assistance updating your server, please contact our support team immediately.

Thank you for your prompt attention to this critical security matter.

Best regards,
Ionblade Support Team

Technical Reference:

  • Release Date: May 8, 2026

  • Affected: All cPanel & WHM versions prior to today's patch

  • CVE IDs: CVE-2026-29201, CVE-2026-29202, CVE-2026-29203

 

Back

  Support

My Support Tickets Announcements Knowledgebase Downloads Network Status Open Ticket