cPanel & WHM Updates: Addressing RCE, PrivEsc, and DoS - Patch Now
Hey team,
Just saw the advisories drop regarding cPanel and Web Host Manager (WHM). There are three new vulnerabilities patched that cover a nasty spectrum: privilege escalation, code execution, and denial-of-service.
While the full breakdown of all three is incoming, I wanted to highlight CVE-2026-29201 specifically. It has a CVSS score of 4.3, which usually leads to complacency, but the underlying mechanics are concerning. It involves insufficient input validation of the feature file name during the feature::LOADFEATUREFILE adminbin call.
If you have custom feature files or rely on specific adminbin hooks, you should review this immediately. Don't let the 'Medium' score fool you on this one; in a shared hosting environment, privilege escalation can be devastating.
For those managing fleets, I recommend checking your current installed versions against the latest release notes to ensure you are patched:
/usr/local/cpanel/cpanel -V
Make sure your update infrastructure is pushing these patches automatically. The combination of RCE and DoS vectors makes this a priority update.
How is everyone handling the rollout? Are you forcing the update via upcp immediately, or are you staging it first to check for plugin conflicts?
Good catch on the feature::LOADFEATUREFILE issue. We're seeing a lot of admins ignore the 4.3 CVSS scores. I'd suggest checking your logs for any anomalies in the adminbin execution around the time of the update if you suspect exploitation. A quick grep for suspicious adminbin calls might be worth it:
grep 'adminbin' /usr/local/cpanel/logs/access_log | grep 'LOADFEATUREFILE'
We're pushing the update via our internal orchestration tool tonight during the maintenance window.
From a pentester's perspective, that input validation issue in CVE-2026-29201 is a classic foothold enabler. It might not be RCE on its own, but if you chain it with another minor misconfiguration, you're looking at a full host takeover. Shared hosting providers need to be extra careful here. If one tenant gets popped, the feature file loading mechanism could let them jump fences. Patch immediately.
I'm always wary of cPanel updates breaking legacy plugins. We run a few custom reseller setups that rely on specific feature file structures. We're staging the update on a single dev node first to check if the validation changes break our custom branding. If anyone else is running heavy customizations, I'd recommend holding off for 24 hours just to verify stability, unless you are already actively seeing IOCs.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access