RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: cvss-8-8 (2 articles)Clear
vulnerability
CVE-2026-29201CVE-2026-29202CVE-2026-29203
2026-05-09

cPanel patches three new flaws including two that let authenticated users run arbitrary Perl code on the server - on top of the active 'Sorry' ransomware wave still hitting unpatched systems

cPanel released patches Friday for three new vulnerabilities. The two worst (CVE-2026-29202 and CVE-2026-29203, both CVSS 8.8) let authenticated users execute arbitrary Perl code through the create_user API or escalate privileges via unsafe symlink chmod. The third (CVE-2026-29201, CVSS 4.3) lets authenticated users read arbitrary files. No exploitation observed yet. The disclosure lands while attackers are still mass-exploiting CVE-2026-41940 to deploy 'Sorry' ransomware against cPanel hosts, including a wave targeting government agencies and MSPs (covered May 5). Hosting providers face a compounding patch burden.

cpanelwhmauthenticated-rceperl-code-executionsymlinkprivilege-escalationsorry-ransomware-contextcompounding-patchescvss-8-8
Check
Inventory cPanel and WHM versions. Check whether any servers are still on builds before the May 9 release. Search authentication logs for use of the create_user API or feature::LOADFEATUREFILE adminbin call by accounts that don't normally use them.
Affected
cPanel and WHM versions before 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116/117, 11.102.0.41, 11.94.0.30, 11.86.0.43. Legacy CentOS 6 and CloudLinux 6 customers must patch to 110.0.114. The CVSS 8.8 flaws require authentication, so internet-facing cPanel servers with weak password policies face acute risk.
Fix
Patch cPanel to a fixed version per the May 9 advisory. Apply the new patches alongside the existing CVE-2026-41940 (Sorry ransomware) fix. Tighten cPanel user account password policies and enforce 2FA for any account with API access. Restrict cPanel ports (2082-2087, 2095-2096) to trusted IPs to limit pre-auth attack surface.
vulnerability
CVE-2026-23918CVE-2026-24072CVE-2026-28780CVE-2026-29168CVE-2026-29169
2026-05-05

Apache web server has a critical flaw in HTTP/2 that crashes servers and could let attackers run code (CVE-2026-23918)

Apache patched a double-free vulnerability in mod_http2 yesterday. CVE-2026-23918 (CVSS 8.8) lets a remote attacker crash the server immediately, with a path to remote code execution under specific memory-layout conditions. The bug is in the stream cleanup code in h2_mplx.c and is triggered by a crafted sequence of HTTP/2 frames including an early stream reset. mod_http2 ships in default Apache builds and HTTP/2 is widely enabled in production. The MPM prefork worker is not affected. Researchers warn practical RCE requires an info leak and probabilistic heap spray, but in lab conditions execution lands in minutes.

apachehttp2mod_http2double-freercedoscvss-8-8striga-aiisecapache-http-server
Check
Identify Apache HTTP Server 2.4.66 installations. Run 'httpd -v' or 'apache2 -v' on each server, and check whether mod_http2 is enabled with 'apache2ctl -M | grep http2'.
Affected
Apache HTTP Server 2.4.66 with mod_http2 enabled (default in most builds). CVE-2026-23918, CVSS 8.8. The MPM prefork worker is not affected; MPM event and worker (default in modern installs) are vulnerable. No public proof-of-concept yet but exploitation is straightforward for DoS. Internet-facing Apache servers running HTTP/2 are at acute risk.
Fix
Upgrade to Apache HTTP Server 2.4.67. If immediate upgrade isn't possible, disable mod_http2 with 'a2dismod http2' - but this drops HTTP/2 support entirely. The 2.4.67 release also patches mod_rewrite (CVE-2026-24072), mod_proxy_ajp (CVE-2026-28780), mod_md, and mod_dav_lock - apply all fixes together.