RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: authenticated-rce (2 articles)Clear
vulnerability
CVE-2026-29201CVE-2026-29202CVE-2026-29203
2026-05-09

cPanel patches three new flaws including two that let authenticated users run arbitrary Perl code on the server - on top of the active 'Sorry' ransomware wave still hitting unpatched systems

cPanel released patches Friday for three new vulnerabilities. The two worst (CVE-2026-29202 and CVE-2026-29203, both CVSS 8.8) let authenticated users execute arbitrary Perl code through the create_user API or escalate privileges via unsafe symlink chmod. The third (CVE-2026-29201, CVSS 4.3) lets authenticated users read arbitrary files. No exploitation observed yet. The disclosure lands while attackers are still mass-exploiting CVE-2026-41940 to deploy 'Sorry' ransomware against cPanel hosts, including a wave targeting government agencies and MSPs (covered May 5). Hosting providers face a compounding patch burden.

cpanelwhmauthenticated-rceperl-code-executionsymlinkprivilege-escalationsorry-ransomware-contextcompounding-patchescvss-8-8
Check
Inventory cPanel and WHM versions. Check whether any servers are still on builds before the May 9 release. Search authentication logs for use of the create_user API or feature::LOADFEATUREFILE adminbin call by accounts that don't normally use them.
Affected
cPanel and WHM versions before 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116/117, 11.102.0.41, 11.94.0.30, 11.86.0.43. Legacy CentOS 6 and CloudLinux 6 customers must patch to 110.0.114. The CVSS 8.8 flaws require authentication, so internet-facing cPanel servers with weak password policies face acute risk.
Fix
Patch cPanel to a fixed version per the May 9 advisory. Apply the new patches alongside the existing CVE-2026-41940 (Sorry ransomware) fix. Tighten cPanel user account password policies and enforce 2FA for any account with API access. Restrict cPanel ports (2082-2087, 2095-2096) to trusted IPs to limit pre-auth attack surface.
vulnerability
CVE-2026-21571CVE-2026-33871
2026-04-21

Atlassian Bamboo Data Center hit with critical OS command injection (CVE-2026-21571, CVSS 9.4) - patch your CI/CD before someone uses it as a supply-chain pivot

Atlassian's April 21 security bulletin disclosed CVE-2026-21571, a critical OS command injection in Bamboo Data Center and Server with CVSS 9.4. An authenticated attacker can execute arbitrary commands on the underlying server, leading to full system compromise and lateral movement. Affected branches: 9.6, 10.0, 10.1, 10.2, 11.0, 11.1, 12.0, 12.1. The same bulletin patches CVE-2026-33871 (CVSS 8.7) - a Netty HTTP/2 DoS that can knock CI/CD pipelines offline. Bamboo sits at the heart of build pipelines, giving attackers a clean path to tamper with artifacts and harvest pipeline secrets.

atlassianbambooci-cdcommand-injectionsupply-chainnettyauthenticated-rce
Check
Inventory every Bamboo Data Center and Server instance you run and upgrade to 12.1.6 LTS, 10.2.18 LTS, or 9.6.25 today.
Affected
Atlassian Bamboo Data Center and Server versions 9.6.0 through 12.1.3 inclusive against CVE-2026-21571 (CVSS 9.4 OS command injection, authenticated). Also exposed to CVE-2026-33871 (CVSS 8.7 DoS via Netty HTTP/2). The authenticated requirement is small comfort - any leaked or shared technician credential is enough.
Fix
Upgrade to Bamboo 12.1.6 LTS, 10.2.18 LTS, or 9.6.25. Audit Bamboo accounts and disable shared logins; require MFA on every Bamboo auth path. Alert on shell interpreters or curl/wget spawning from the Bamboo Java process. Restrict the admin UI to internal networks. Rotate every credential stored in build configurations - they could have been read during the vulnerable window.