Security: CVE-2026-29202 - cPanel & WHM / WP2 Security Update - May 08, 2026

Situation

A Perl code injection method was found in the create_user API call, relating to the plugin parameter.

Impact

We have pushed out a patch in the following cPanel & WHM versions: 

• 11.136.0.9 and higher
• 11.134.0.25 and higher
• 11.132.0.31 and higher
• 11.130.0.22 and higher
• 11.126.0.58 and higher
• 11.124.0.37 and higher
• 11.118.0.66 and higher
• 11.110.0.117 and higher
• 11.102.0.41 and higher
• 11.94.0.30 and higher
• 11.86.0.43 and higher

We have pushed out a patch in the following WP Squared version:

• 11.136.1.11 and higher

For customers still on CentOS 6 or CloudLinux 6, we have also released v11.110.0.116 as a direct update. To upgrade to this version, run the following command to set the upgrade tier, and then follow the steps in the "Required Actions" below.

# sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf

Note: All further versions of cPanel are patched for this issue as well. Please see the latest changelogs for version information of each cPanel branch:
https://docs.cpanel.net/changelogs/

Call to Action

1. Update the cPanel version on the server to one of the versions listed above. This can be done with the following:

   # /scripts/upcp --force

2. Once completed, verify the cPanel version with the following to ensure the update was successful.

   # /usr/local/cpanel/cpanel -V

Additional Information

Additional security incidents are resolved in this latest release as well. Please see the following for more information:

Security: CVE-2026-29201 - cPanel & WHM / WP2 Security Update - May 08, 2026

Security: CVE-2026-29203 - cPanel & WHM / WP2 Security Update - May 08, 2026