HIGHCVE-2026-29205Published 2026-05-13Modified 2026-05-14CNA hackerone

CVE-2026-29205: Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: 11.124.0.38
Affected Products: 2

Fix available

11.124.0.3811.126.0.5911.130.0.2311.132.0.3211.134.0.2611.136.0.1011.136.1.12

Affected packages

WebPros / cPanel
< 11.136.0.10 (from 11.136.0.0) · < 11.134.0.26 (from 11.134.0.0) · < 11.132.0.32 (from 11.132.0.0) · < 11.130.0.23 (from 11.130.0.0) · < 11.126.0.59 (from 11.126.0.0) · < 11.124.0.38 (from 11.120.0.0)
WebPros / WP Squared
< 11.136.1.12 (from 11.120.1.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References

support.cpanel.net

Metrics

Fix available