PT-2026-38673 · Cpanel · Cpanel

David Hertenstein

·

Published

2026-05-08

·

Updated

2026-06-17

·

CVE-2026-29201

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Name of the Vulnerable Software and Affected Versions cPanel versions prior to 11.136.0.9 cPanel versions prior to 11.136.1.10 (WP Squared) cPanel versions prior to 11.134.0.25 cPanel versions prior to 11.132.0.31 cPanel versions prior to 11.130.0.22 cPanel versions prior to 11.126.0.58 cPanel versions prior to 11.124.0.37 cPanel versions prior to 11.118.0.66 cPanel versions prior to 11.110.0.117 cPanel versions prior to 11.110.0.116 (cl6110) cPanel versions prior to 11.102.0.41 cPanel versions prior to 11.94.0.30 cPanel versions prior to 11.86.0.43
Description Insufficient input validation of the feature file name in the feature::LOADFEATUREFILE AdminBin call can lead to arbitrary file read when a relative file path is provided.
Recommendations Update to version 11.136.0.9 or higher. Update to version 11.136.1.10 or higher (WP Squared). Update to version 11.134.0.25 or higher. Update to version 11.132.0.31 or higher. Update to version 11.130.0.22 or higher. Update to version 11.126.0.58 or higher. Update to version 11.124.0.37 or higher. Update to version 11.118.0.66 or higher. Update to version 11.110.0.117 or higher. Update to version 11.110.0.116 or higher (cl6110). Update to version 11.102.0.41 or higher. Update to version 11.94.0.30 or higher. Update to version 11.86.0.43 or higher.

Fix

DoS

LPE

RCE

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-29201

Affected Products

Cpanel