Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: shared-hosting (1 article)Clear

Exploited LiteSpeed cPanel plugin flaw lets hosting users gain root

CISA has added a LiteSpeed cPanel plugin flaw to its known-exploited list and given federal agencies until June 18 to patch. The bug (CVE-2026-54420, rated 8.5) lets a user who already has FTP or web-shell access on a shared hosting server escalate to root by abusing how the plugin follows symbolic links, on servers running CloudLinux or CageFS. On multi-tenant hosting that turns one compromised account into full control of the whole server and every site on it. Namecheap reported it after spotting suspicious activity, and LiteSpeed flagged active exploitation in early June. The fix is LiteSpeed WHM Plugin 5.3.2.1 with cPanel plugin 2.4.8.

Check
Identify shared-hosting servers running the LiteSpeed cPanel plugin on CloudLinux or CageFS, confirm the version, and review logs for unexpected privilege changes or suspicious command activity.
Affected
Shared hosting servers running the LiteSpeed cPanel user-end plugin before 2.4.8 on CloudLinux or CageFS (CVE-2026-54420); any account with FTP or web-shell access can escalate to root.
Fix
Upgrade to LiteSpeed WHM Plugin 5.3.2.1 (cPanel plugin 2.4.8) or later now. If you cannot patch immediately, remove the user-end plugin, then hunt for signs of prior root-level compromise.