CVE-2026-54420 – cPanel Plugin
CVSS 8.5
IMPORTANT
Critical or Zero Day – Immediate Deployment
“A shared hosting boundary is only effective when one user cannot influence another user’s files.”
LiteSpeed patched CVE-2026-54420 in the cPanel Plugin before version 2.4.8 and LiteSpeed WHM PlugIn before version 5.3.2.0. The vulnerability involves improper handling of user-provided symbolic links on shared hosting servers running CloudLinux/CageFS. The CVSS score is 8.5, which is High severity.
Successful exploitation could allow a user with FTP or web shell access on a shared hosting server to bypass intended isolation controls and access resources outside their authorized scope. This may lead to unauthorized access to data belonging to other users hosted on the same system. Active exploitation has been reported.
Key Details
- Affected Product
- Litespeedtech Litespeed Cpanel Plugin
- Attack Vector
- Network
- Attack Complexity
- High
- Privileges Required
- Low
- User Interaction
- None
- CWE Classification
- CWE-61
Patch this CVE on all your endpoints in under 5 minutes.
First 200 endpoints are free forever, scale as needed.