First posted on Wednesday, 13 May 2026
This advisory is provided as a courtesy.
We want to bring to your attention some newly discovered vulnerabilities across versions of cPanel and WHM. These vulnerabilities have been assigned CVE numbers: CVE-2026-29205, CVE-2026-29206, CVE-2026-32991, CVE-2026-32992 and CVE-2026-32993.
A cPanel and WHM security patch is expected to be released on Thursday, 14 May 2026 at 01:00am Singapore time (GMT+0800). When the security patch is released, we recommend customers running WHM/cPanel on their servelets and servers to perform manual update while waiting for the nightly automatic update is triggered.
Affected Software
WHM/cPanel versions 86, 94, 102, 110, 110 CL6, 118, 124, 126, 130, 132, 134, 136, 136 (WP2).
How to Fix the Problem
Update to the latest version of WHM/cPanel after the security patch is released:
/scripts/upcp
More Information
Another round of critical cPanel updates to be released 5/13/2026 1pm EST
Notes:
We will be performing urgent update to patch all our internal servers once the patch is available.
Request Assistance
If you are running vulnerable WHM/cPanel version and need our assistance to patch it once the security patch is released, we can do it for you at a one-time discounted fee of $30. Please submit your order at Order -> Additional Services -> Vulnerability Fix - Linux Kernel and WHM/cPanel Vulnerabilities - $30.
Note: This service is only applicable on WHM/cPanel running on supported operating systems that is generally still maintained and not EOL. Please check with us first by opening a ticket before ordering this service.
Alternatively, please first open a support ticket and give us the hostname, IP address and OS template. You can find this information on your servelet's control panel.
For example:
Hostname: yourservelethostname
IP Address: 103.25.202.81
OS Template: AlmaLinux 8.10 (64-bit)
Thank you.
??
English
Bahasa Indonesia
???
Espanol