⚠️ Critical SQL Injection Vulnerability
A vulnerability identified as CVE-2026-29206 was discovered in the sqloptimizer script used by cPanel & WHM.
🔍 Vulnerability Overview
cPanel discovered that SQL queries generated by the sqloptimizer script could potentially be manipulated and injected with arbitrary SQL queries.
Improper sanitization of generated SQL statements may allow attackers to inject unintended database queries under specific conditions.
This vulnerability impacts all cPanel & WHM versions, making immediate patching strongly recommended.
🚨 Potential Impact
- Arbitrary SQL query injection
- Database manipulation risks
- Potential unauthorized data access
- Privilege escalation possibilities
- Unexpected database modifications
📌 Affected Versions
All cPanel & WHM versions are affected
✅ Patched cPanel Versions
11.86.0.44+
11.94.0.31+
11.102.0.42+
11.110.0.118
(cl6110)
(cl6110)
11.110.0.119+
11.118.0.67+
11.124.0.38+
11.126.0.59+
11.130.0.23+
11.132.0.32+
11.134.0.26+
11.136.0.10+
WP Squared patched version:
11.136.1.12 and higher
11.136.1.12 and higher
CentOS 6 / CloudLinux 6 Users:
sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf
🛠️ How to Update cPanel
Update your server immediately using:
/scripts/upcp --force
Verify the installed version after updating:
/usr/local/cpanel/cpanel -V
🔒 Additional Security Fixes Included
CVE-2026-29205
CVE-2026-32991
CVE-2026-32992
CVE-2026-32993
🔒 Security Recommendation
Update all cPanel servers immediately and monitor database activity logs for suspicious or unexpected SQL operations.
⚠️ Final Security Warning:
Servers running outdated cPanel versions remain vulnerable to SQL injection risks within the sqloptimizer component.
Servers running outdated cPanel versions remain vulnerable to SQL injection risks within the sqloptimizer component.