Perl Code Injection Vulnerability – May 08, 2026
⚠️ Critical Security Advisory
A security vulnerability identified as CVE-2026-29202 has been discovered in cPanel & WHM and WP Squared (WP2).
🔍 Vulnerability Overview
A Perl code injection vulnerability was identified in the create_user API call, specifically involving the plugin parameter.
Improper input validation may allow malicious code injection, potentially leading to unauthorized command execution or compromise of the hosting environment.
🚨 Potential Impact
- Remote code execution risks
- Unauthorized server actions
- Privilege escalation possibilities
- Compromise of hosting accounts
- Potential server-wide security exposure
✅ Patched cPanel Versions
- 11.136.0.9+
- 11.134.0.25+
- 11.132.0.31+
- 11.130.0.22+
- 11.126.0.58+
- 11.124.0.37+
- 11.118.0.66+
- 11.110.0.116+
- 11.110.0.117+
- 11.102.0.41+
- 11.94.0.30+
- 11.86.0.43+
🟦 WP Squared (WP2) Patched Version
WP Squared users should upgrade to: 11.136.1.10 or later
🛠️ CentOS 6 / CloudLinux 6 Users
For systems still running CentOS 6 or CloudLinux 6, cPanel released v110.0.114 as a direct update.
Set the upgrade tier using:
⬆️ Update cPanel & WHM
Run the following command to update your server:
After updating, verify the installed cPanel version:
🔒 Security Recommendation
All hosting providers and server administrators should immediately update cPanel & WHM to patched versions to mitigate the risk of Perl code injection attacks.
Servers running outdated cPanel versions remain vulnerable to potential code injection attacks. Immediate patching is strongly recommended.