CVE-2026-29203

Name of the Vulnerable Software and Affected Versions cPanel Nova plugin versions prior to 11.136.0.9 cPanel Nova plugin versions prior to 11.136.1.10 (WP Squared) cPanel Nova plugin versions prior to 11.134.0.25 cPanel Nova plugin versions prior to 11.132.0.31 cPanel Nova plugin versions prior to 11.130.0.22 cPanel Nova plugin versions prior to 11.126.0.58 cPanel Nova plugin versions prior to 11.124.0.37 cPanel Nova plugin versions prior to 11.118.0.66 cPanel Nova plugin versions prior to 11.110.0.117 cPanel Nova plugin versions prior to 11.110.0.116 (cl6110) cPanel Nova plugin versions prior to 11.102.0.41 cPanel Nova plugin versions prior to 11.94.0.30 cPanel Nova plugin versions prior to 11.86.0.43

Description A chmod call in the Cpanel::Nova::Connector function follows symlinks, which allows an authenticated user to set root permissions on arbitrary system files or directories. This occurs when a user places a symlink at a user-controlled legacy Nova path within their home directory, potentially leading to local privilege escalation or a denial-of-service (DoS) condition.

Recommendations Update to version 11.136.0.9 or higher. Update to version 11.136.1.10 or higher (WP Squared). Update to version 11.134.0.25 or higher. Update to version 11.132.0.31 or higher. Update to version 11.130.0.22 or higher. Update to version 11.126.0.58 or higher. Update to version 11.124.0.37 or higher. Update to version 11.118.0.66 or higher. Update to version 11.110.0.117 or higher. Update to version 11.110.0.116 or higher (cl6110). Update to version 11.102.0.41 or higher. Update to version 11.94.0.30 or higher. Update to version 11.86.0.43 or higher.