[Important] cPanel & WHM Security Update CVE-2026-29201, CVE-2026-29202, CVE-2026-29203 Patch Arriving May 08, 12:00pm EST

Jade @ Absolute Hosting

Absolute Hosting Representative
Company Rep
Company Rep
Joined
Nov 17, 2015
Messages
2,020
Reaction score
1,459
Location
Centurion
cPanel have identified a new security vulnerability in cPanel & WHM through a trusted disclosure source. Our engineering team is actively developing patches, and we are reaching out early so you can prepare your servers to update as soon as it is available.



To help protect customers prior to patch availability, technical details about vulnerabilities will be released alongside the patches. Full technical details will be published on our support page at the same time the patch is released. The CVE IDs are CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203.



Patch & Affected Versions

The patch will be available on May 08 at 12:00pm EST and will be distributed through the standard cPanel automatic update process and through the manual update process. We strongly recommend performing a manual update with /scripts/upcp once the patch is made available.



Patched versions:
cpanel_notice.png

If you are running an unsupported version of cPanel & WHM not listed above, please update to the latest version using /scripts/upcp



Prepare Now

  • Identify affected servers. Review your servers on the affected version branches above.
  • Check the update configuration. For servers where automatic updates are disabled or version-pinned, review /etc/cpupdate.conf now, so there are no delays when the patch lands.
  • Brief your team. If your environment requires a maintenance window, notify the relevant people so they are ready to act.
  • Manual update. If your team wishes to update impacted servers before an automatic update is triggered, run /scripts/upcp once the patch is made available.
  • Note for CloudLinux 6 users: Before manually updating, set the update tier to the cl6110 branch by running sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf
 
These CVEs appear nowhere. What's the source of this update
 
Top
Sign up to the MyBroadband newsletter
X