Scaner-VSvulnerability catalog · v4.2

Home Catalog Sources CWE CAPEC ATT&CK Mitigations Products Vendors Docs

← Back to List

Cpanel›Applicationanchore_overrides,nvd

Whm

Vulnerabilities

11

Known exploited

1

Max CVSS

9.3

Top EPSS

0.90543

Severity breakdown

Critical

1

High

6

Medium

4

Low

0

Affected version ranges

11.132.1.0–11.136.1.1211.136.0.0–11.136.0.1011.136.0.0–11.136.0.911.136.1.0–11.136.1.1011.136.1.0–11.136.1.1211.40–86.0.41≤ 56.0.50

Also matched as (raw): whm,cpanel

Top vulnerabilities

CVE-2026-41940cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVE-2026-29205Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

CVE-2026-29201Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

CVE-2026-32993Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

CVE-2026-32992SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.

CVE-2026-29206Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.

CVE-2026-32991Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

CVE-2017-11441The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before 58.0.52, 60.x before 60.0.45, 62.x before 62.0.27, 64.x before 64.0.33, and 66.x before 66.0.2 has XSS via a locale filename, aka SEC-297.

CVE-2012-6449The clientconf.html and detailbw.html pages in x3 in cPanel & WHM 11.34.0 (build 8) have a XSS vulnerability.

CVE-2026-29203A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

CVE-2026-29202Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.

View vendor →Open in catalog with product filter →