HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54420Published Modified CNA mitre

CVE-2026-54420: LiteSpeed cPanel plugin before 2

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

Metrics

CVSS v3.1
8.5
Severity
HIGH
Fixed in
2.4.8
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a symlink-handling vulnerability in the LiteSpeed cPanel plugin before version 2.4.8 (distributed as part of LiteSpeed WHM PlugIn before 5.3.2.0). An attacker with low-privilege access, such as an FTP account or web shell on a shared hosting server running CloudLinux/CageFS, can supply crafted symlinks to escape their sandboxed environment and reach files outside their intended scope. Successful exploitation allows the attacker to read, modify, or destroy data across the host system, and this vulnerability has been exploited in the wild as of May 2026. A patched-image rebuild at version 2.4.8 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-54420 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle the LiteSpeed cPanel plugin. Coverage extends to pipeline scans and registry scans so affected image layers are flagged before deployment.

Available
Triage

Triage is available with the CVSS v3.1 score of 8.5 (HIGH) applied automatically, weighted against each customer organization's compliance policy to determine priority. Findings are routed to the appropriate team inbox within each customer org based on configured severity thresholds and ownership rules.

Available
Patch

A patched-image rebuild at version 2.4.8 is available on HarborGuard for any environment where an affected version (2.3 up to 2.4.8) is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the service over the network; the vulnerability is exposed on internet-facing shared hosting infrastructure.

  • AuthenticationRequired

    A low-privilege account is sufficient; FTP credentials or web shell access on the shared hosting server is enough to trigger the symlink mishandling.

  • Victim interactionNot required

    No action from any other user or administrator is needed to complete the attack.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker may need to account for environmental factors such as specific CageFS configurations or timing conditions to successfully escape the sandbox.

Blast Radius

  • Reads arbitrary files on the host system outside the attacker's CageFS sandbox, including credentials, configuration files, and data belonging to other hosting accounts.
  • Modifies or overwrites files across the host, enabling tampering with other tenants' web content, configuration, or application data.
  • Destroys files outside the attacker's intended scope, causing data loss for co-hosted tenants or disrupting host-level services.
  • Achieves full compromise of confidentiality, integrity, and availability at the host level due to CVSS C:H/I:H/A:H with Changed scope.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54420 activates the moment the advisory is ingested, matching against all images that include the LiteSpeed cPanel plugin in the affected range (2.3 to before 2.4.8). Given the HIGH severity score of 8.5 and confirmed in-the-wild exploitation, this CVE is prioritized automatically in triage. For customers who opt into auto-remediation, HarborGuard makes a rebuilt image at version 2.4.8 available, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the configured owner inbox with full fix context attached. Because this vulnerability requires only low-privilege hosting access and is already being actively exploited, customers running shared hosting infrastructure should treat patching as urgent regardless of auto-remediation configuration.

See how HarborGuard automates this

Fix available

2.4.8
Affected packages
  • LiteSpeed Technologies / cPanel Plugin
    < 2.4.8 (from 2.3)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
References