Arbitrary File Read Vulnerability – May 08, 2026
⚠️ Critical Security Advisory
A security vulnerability identified as CVE-2026-29201 has been discovered in cPanel & WHM and WP Squared (WP2).
🔍 Vulnerability Overview
The vulnerability exists in the feature::LOADFEATUREFILE adminbin call, where insufficient validation of feature file names allows attackers to pass relative paths as arguments.
This flaw may cause arbitrary files on the server to become world-readable, potentially exposing sensitive information.
🚨 Potential Impact
- Unauthorized access to sensitive server files
- Exposure of configuration data
- Information disclosure vulnerabilities
- Increased risk of privilege escalation
- Potential compromise of hosting environments
✅ Patched cPanel Versions
- 11.136.0.9+
- 11.134.0.25+
- 11.132.0.31+
- 11.130.0.22+
- 11.126.0.58+
- 11.124.0.37+
- 11.118.0.66+
- 11.110.0.116+
- 11.110.0.117+
- 11.102.0.41+
- 11.94.0.30+
- 11.86.0.43+
🟦 WP Squared (WP2) Patched Version
WP Squared users should upgrade to: 11.136.1.10 or later
🛠️ CentOS 6 / CloudLinux 6 Users
For systems still running CentOS 6 or CloudLinux 6, cPanel released v110.0.114 as a direct update.
Set the upgrade tier using:
⬆️ Update cPanel & WHM
Run the following command to update your server:
After updating, verify the installed cPanel version:
🔒 Security Recommendation
All hosting providers and server administrators are strongly advised to update cPanel & WHM immediately to avoid potential file disclosure risks.
Servers running outdated cPanel versions remain vulnerable to arbitrary file disclosure attacks. Immediate patching is strongly recommended.