HIGHCVE-2026-29201Published Modified CNA hackerone
CVE-2026-29201: Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Metrics
- CVSS v3.1
- 8.6
- Severity
- HIGH
- Fixed in
- 11.86.0.43
- Affected Products
- 3
Fix available
11.86.0.4311.94.0.3011.102.0.4111.110.0.11611.110.0.11711.118.0.6611.124.0.3711.126.0.5811.130.0.2211.132.0.3111.134.0.2511.136.0.911.136.1.11
Affected packages
- WebPros / cPanel< 11.136.0.9 (from 11.136.0.0) · < 11.134.0.25 (from 11.134.0.0) · < 11.132.0.31 (from 11.132.0.0) · < 11.130.0.22 (from 11.130.0.0) · < 11.126.0.58 (from 11.126.0.0) · < 11.124.0.37 (from 11.124.0.0)
- WebPros / WP Squared< 11.136.1.11 (from 11.136.1.0)
- WebPros / cPanel (CloudLinux 6, CentOS 6)< 11.110.0.116 (from 11.110.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:LReferences