May 8 cPanel Security Update

Hey everyone!  We've just released the following security fixes and they are available now for you - you should update your servers as soon as you're able:

Security fixes (all versions):
• Fixed [Security]: An arbitrary file read in the feature::LOADFEATUREFILE adminbin call allows an authenticated user to read arbitrary files. (CVE-2026-29201)
• Fixed [Security]: A Perl code injection vulnerability in the create_user API call allows privilege escalation. (CVE-2026-29202)
• Fixed [Security]: An unsafe symlink handling error allows a user to chmod an arbitrary file, enabling denial of service and possible privilege escalation. (CVE-2026-29203)

Versions updated:
• 11.136.0.9 (EDGE, CURRENT)
• 11.136.1.10 (WP2 EDGE, WP2 RELEASE)
• 11.134.0.25 (RELEASE, STABLE, LTS)
• 11.132.0.31
• 11.130.0.22
• 11.126.0.58
• 11.124.0.37
• 11.118.0.66
• 11.110.0.117
• 11.110.0.116 (cl6110)
• 11.102.0.41
• 11.94.0.30
• 11.86.0.43

Also released: cpanel-xovi-plugin 1.9.0-1 - Security fix for user creation (CVE-2026-29202)