Unsafe Symlink Handling Vulnerability – May 08, 2026
⚠️ Critical Security Advisory
A security vulnerability identified as CVE-2026-29203 has been discovered in cPanel & WHM and WP Squared (WP2).
🔍 Vulnerability Overview
An unsafe symlink handling issue was discovered that may allow a user to perform chmod operations on arbitrary files.
Exploitation of this flaw could result in Denial of Service (DoS) and potentially privilege escalation on affected systems.
🚨 Potential Impact
- Unauthorized permission modification on files
- Denial of Service (DoS)
- Privilege escalation risks
- Potential disruption of hosted services
- Security compromise of shared hosting environments
✅ Patched cPanel Versions
- 11.136.0.9+
- 11.134.0.25+
- 11.132.0.31+
- 11.130.0.22+
- 11.126.0.58+
- 11.124.0.37+
- 11.118.0.66+
- 11.110.0.116+
- 11.110.0.117+
- 11.102.0.41+
- 11.94.0.30+
- 11.86.0.43+
🟦 WP Squared (WP2) Patched Version
WP Squared users should upgrade to: 11.136.1.10 or later
🛠️ CentOS 6 / CloudLinux 6 Users
For systems still running CentOS 6 or CloudLinux 6, cPanel released v110.0.114 as a direct update.
Set the upgrade tier using:
⬆️ Update cPanel & WHM
Run the following command to update your server:
After updating, verify the installed cPanel version:
🔒 Security Recommendation
All server administrators and hosting providers should immediately update cPanel & WHM to patched versions to mitigate potential symlink exploitation risks.
Servers running outdated cPanel versions remain vulnerable to symlink handling exploits, which may lead to denial of service or privilege escalation attacks.