HIGHCVE-2026-29206Published 2026-05-13Modified 2026-05-14CNA hackerone

CVE-2026-29206: Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled

Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 11.86.0.44
Affected Products: 3

Fix available

11.86.0.4411.94.0.3111.102.0.4211.110.0.11811.110.0.11911.118.0.6711.124.0.3811.126.0.5911.130.0.2311.132.0.3211.134.0.2611.136.0.1011.136.1.12

Affected packages

WebPros / cPanel
< 11.136.0.10 (from 11.136.0.0) · < 11.134.0.26 (from 11.134.0.0) · < 11.132.0.32 (from 11.132.0.0) · < 11.130.0.23 (from 11.130.0.0) · < 11.126.0.59 (from 11.126.0.0) · < 11.124.0.38 (from 11.124.0.0)
WebPros / WP Squared
< 11.136.1.12 (from 11.136.1.0)
WebPros / cPanel (CloudLinux 6, CentOS 6)
< 11.110.0.118 (from 11.110.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

References

support.cpanel.net

Metrics

Fix available