CVE-2026-29201

Name of the Vulnerable Software and Affected Versions cPanel versions prior to 11.136.0.9 cPanel (WP Squared) versions prior to 11.136.1.10 cPanel versions prior to 11.134.0.25 cPanel versions prior to 11.132.0.31 cPanel versions prior to 11.130.0.22 cPanel versions prior to 11.126.0.58 cPanel versions prior to 11.124.0.37 cPanel versions prior to 11.118.0.66 cPanel versions prior to 11.110.0.117 cPanel (cl6110) versions prior to 11.110.0.116 cPanel versions prior to 11.102.0.41 cPanel versions prior to 11.94.0.30 cPanel versions prior to 11.86.0.43

Description Insufficient input validation of the feature file name in the feature::LOADFEATUREFILE adminbin call can lead to arbitrary file read when a relative file path is provided.

Recommendations Update to version 11.136.0.9 or higher. Update to version 11.136.1.10 or higher (WP Squared). Update to version 11.134.0.25 or higher. Update to version 11.132.0.31 or higher. Update to version 11.130.0.22 or higher. Update to version 11.126.0.58 or higher. Update to version 11.124.0.37 or higher. Update to version 11.118.0.66 or higher. Update to version 11.110.0.117 or higher. Update to version 11.110.0.116 or higher (cl6110). Update to version 11.102.0.41 or higher. Update to version 11.94.0.30 or higher. Update to version 11.86.0.43 or higher. Restrict access to WHM management ports 2086 and 2087 to trusted IP addresses. Disable the Terminal feature within the WHM UI by running touch /var/cpanel/disable whm terminal ui.