CVE-2026-54420 – cPanel Plugin

CVSS 8.5 IMPORTANT Critical or Zero Day – Immediate Deployment

“A shared hosting boundary is only effective when one user cannot influence another user’s files.”

LiteSpeed patched CVE-2026-54420 in the cPanel Plugin before version 2.4.8 and LiteSpeed WHM PlugIn before version 5.3.2.0. The vulnerability involves improper handling of user-provided symbolic links on shared hosting servers running CloudLinux/CageFS. The CVSS score is 8.5, which is High severity.

Successful exploitation could allow a user with FTP or web shell access on a shared hosting server to bypass intended isolation controls and access resources outside their authorized scope. This may lead to unauthorized access to data belonging to other users hosted on the same system. Active exploitation has been reported.

Key Details

Affected Product
Litespeedtech Litespeed Cpanel Plugin
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-61
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.