cPanel patches three new flaws including two that let authenticated users run arbitrary Perl code on the server - on top of the active 'Sorry' ransomware wave still hitting unpatched systems

cPanel released patches Friday for three new vulnerabilities. The two worst (CVE-2026-29202 and CVE-2026-29203, both CVSS 8.8) let authenticated users execute arbitrary Perl code through the create_user API or escalate privileges via unsafe symlink chmod. The third (CVE-2026-29201, CVSS 4.3) lets authenticated users read arbitrary files. No exploitation observed yet. The disclosure lands while attackers are still mass-exploiting CVE-2026-41940 to deploy 'Sorry' ransomware against cPanel hosts, including a wave targeting government agencies and MSPs (covered May 5). Hosting providers face a compounding patch burden.

Check

Inventory cPanel and WHM versions. Check whether any servers are still on builds before the May 9 release. Search authentication logs for use of the create_user API or feature::LOADFEATUREFILE adminbin call by accounts that don't normally use them.

Affected

cPanel and WHM versions before 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, 11.124.0.37, 11.118.0.66, 11.110.0.116/117, 11.102.0.41, 11.94.0.30, 11.86.0.43. Legacy CentOS 6 and CloudLinux 6 customers must patch to 110.0.114. The CVSS 8.8 flaws require authentication, so internet-facing cPanel servers with weak password policies face acute risk.

Fix

Patch cPanel to a fixed version per the May 9 advisory. Apply the new patches alongside the existing CVE-2026-41940 (Sorry ransomware) fix. Tighten cPanel user account password policies and enforce 2FA for any account with API access. Restrict cPanel ports (2082-2087, 2095-2096) to trusted IPs to limit pre-auth attack surface.