HIGHCVE-2026-29202Published 2026-05-08Modified 2026-05-13CNA hackerone

CVE-2026-29202: Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user

Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 11.86.0.43
Affected Products: 3

Fix available

11.86.0.4311.94.0.3011.102.0.4111.110.0.11611.110.0.11711.118.0.6611.124.0.3711.126.0.5811.130.0.2211.132.0.3111.134.0.2511.136.0.911.136.1.11

Affected packages

WebPros / cPanel
< 11.136.0.9 (from 11.136.0.0) · < 11.134.0.25 (from 11.134.0.0) · < 11.132.0.31 (from 11.132.0.0) · < 11.130.0.22 (from 11.130.0.0) · < 11.126.0.58 (from 11.126.0.0) · < 11.124.0.37 (from 11.124.0.0)
WebPros / cPanel (CloudLinux 6, CentOS 6)
< 11.110.0.116 (from 11.110.0.0)
WebPros / WP Squared
< 11.136.1.11 (from 11.136.1.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

support.cpanel.net

Metrics

Fix available