HIGHCVE-2026-32993Published 2026-05-13Modified 2026-05-14CNA hackerone

CVE-2026-32993: Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response

Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 11.132.0.32
Affected Products: 2

Fix available

11.132.0.3211.134.0.2611.136.0.1011.136.1.12

Affected packages

WebPros / cPanel
< 11.132.0.32 (from 11.132.0.0) · < 11.134.0.26 (from 11.134.0.0) · < 11.136.0.10 (from 11.136.0.0)
WebPros / WP Squared
< 11.136.1.12 (from 11.132.1.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

support.cpanel.net

Metrics

Fix available