### Vulnerability Details The identified vulnerabilities are: * **CVE-2026-29201** (CVSS score: 4.3) - Insufficient input validation of the feature file name in the `feature::LOADFEATUREFILE` adminbin call. This could lead to arbitrary file read. * **CVE-2026-29202** (CVSS score: 8.8) - Insufficient input validation of the `plugin` parameter in the `create_user API` call. This could result in arbitrary Perl code execution on behalf of the already authenticated account's system user. * **CVE-2026-29203** (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, potentially leading to denial-of-service or privilege escalation. ### Affected Versions & Mitigation The vulnerabilities have been addressed in the following **cPanel** and **WHM** versions: * cPanel and WHM: * 11.136.0.9 and higher * 11.134.0.25 and higher * 11.132.0.31 and higher * 11.130.0.22 and higher * 11.126.0.58 and higher * 11.124.0.37 and higher * 11.118.0.66 and higher * 11.110.0.116 and higher * 11.110.0.117 and higher * 11.102.0.41 and higher * 11.94.0.30 and higher * 11.86.0.43 and higher * WP Squared: * 11.136.1.10 and higher **cPanel** has also released version 110.0.114 as a direct update for customers using CentOS 6 or CloudLinux 6. Users are strongly encouraged to update to the latest available versions to ensure they are protected against these vulnerabilities. ### Prior Exploitation and Risk While there is currently no evidence of active exploitation of these specific vulnerabilities, this disclosure follows the recent discovery of active exploitation of **CVE-2026-41940** as a zero-day vulnerability. This flaw was leveraged by threat actors to distribute **Mirai** botnet variants and the **Sorry** ransomware. Given the potential impact and the recent history of **cPanel** vulnerabilities being exploited in the wild, prompt patching is critical.