CISA has added a LiteSpeed cPanel plugin flaw to its known-exploited list and given federal agencies until June 18 to patch. The bug (CVE-2026-54420, rated 8.5) lets a user who already has FTP or web-shell access on a shared hosting server escalate to root by abusing how the plugin follows symbolic links, on servers running CloudLinux or CageFS. On multi-tenant hosting that turns one compromised account into full control of the whole server and every site on it. Namecheap reported it after spotting suspicious activity, and LiteSpeed flagged active exploitation in early June. The fix is LiteSpeed WHM Plugin 5.3.2.1 with cPanel plugin 2.4.8.
LiteSpeed Technologies has patched CVE-2026-48172, a privilege-escalation vulnerability in its cPanel plugin that lets a low-privileged cPanel user trick the plugin into running scripts as root. The flaw has been observed under active exploitation. The fix lands in cPanel plugin v2.4.7 bundled with WHM plugin 5.3.1.0. Operators who cannot patch immediately are advised to uninstall the user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall. This follows last month's actively exploited CVE-2026-41940 (CVSS 9.8) in cPanel itself, which threat actors used to drop Mirai variants and the Sorry ransomware strain. cPanel hosting providers and resellers are the primary targets.