CVE-2026-29203

Name of the Vulnerable Software and Affected Versions cPanel versions prior to 11.136.0.9 cPanel (WP Squared) versions prior to 11.136.1.10 cPanel versions prior to 11.134.0.25 cPanel versions prior to 11.132.0.31 cPanel versions prior to 11.130.0.22 cPanel versions prior to 11.126.0.58 cPanel versions prior to 11.124.0.37 cPanel versions prior to 11.118.0.66 cPanel versions prior to 11.110.0.117 cPanel (cl6110) versions prior to 11.110.0.116 cPanel versions prior to 11.102.0.41 cPanel versions prior to 11.94.0.30 cPanel versions prior to 11.86.0.43

Description A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks. This allows an authenticated cPanel user to set root permissions on arbitrary system files or directories by placing a symlink at a user-controlled legacy Nova path under their home directory, potentially leading to local privilege escalation or Denial of Service (DoS).

Recommendations Update to version 11.136.0.9 or higher. Update to version 11.136.1.10 or higher (WP Squared). Update to version 11.134.0.25 or higher. Update to version 11.132.0.31 or higher. Update to version 11.130.0.22 or higher. Update to version 11.126.0.58 or higher. Update to version 11.124.0.37 or higher. Update to version 11.118.0.66 or higher. Update to version 11.110.0.117 or higher. Update to version 11.110.0.116 or higher (cl6110). Update to version 11.102.0.41 or higher. Update to version 11.94.0.30 or higher. Update to version 11.86.0.43 or higher.