cPanel Control Panels for server hosting
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any cPanel product.
RSS Feeds for cPanel security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in cPanel products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by cPanel Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 1 vulnerability in cPanel with an average score of 9.8 out of ten. Last year, in 2025 cPanel had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in cPanel in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.00.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 9.80 |
| 2025 | 1 | 8.80 |
| 2024 | 0 | 0.00 |
| 2023 | 2 | 6.30 |
| 2022 | 1 | 8.80 |
| 2021 | 10 | 6.91 |
| 2020 | 42 | 7.50 |
| 2019 | 125 | 0.00 |
| 2018 | 1 | 6.10 |
It may take a day or so for new cPanel vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent cPanel Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-41940 | Apr 29, 2026 |
cPanel&WHM Auth Bypass in Login (v<11.110.0.97, 11.118.0.63-54, 11.132.0.29, 11.134.0.20)cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. |
Cpanel
Whm
Wp Squared
|
| CVE-2025-66429 | Dec 11, 2025 |
cPanel Team Manager API Dir Traversal: Arbitrary File Write, Priv EscAn issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user. |
Cpanel
|
| CVE-2023-29489 | Apr 27, 2023 |
CVE-2023-29489: XSS on cPanel <11.109.9999.116 cpsrvd via invalid IDAn issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. |
Cpanel
|
| CVE-2023-27927 | Mar 27, 2023 |
cPanel SMTP Password Leak Cleartext Credential DisclosureAn authenticated malicious user could acquire the simple mail transfer protocol (SMTP) Password in cleartext format, despite it being protected and hidden behind asterisks. The attacker could then perform further attacks using the SMTP credentials. |
Cpanel
|
| CVE-2022-37903 | Dec 12, 2022 |
cPanel Arbitrary File Write via Authenticated Web Interface (CVE-2022-37903)A vulnerability exists that allows an authenticated attacker to overwrite an arbitrary file with attacker-controlled content via the web interface. Successful exploitation of this vulnerability could lead to full compromise the underlying host operating system. |
Cpanel
|
| CVE-2021-38584 | Aug 11, 2021 |
The WHM Locale Upload feature in cPanel before 98.0.1The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). |
Cpanel
|
| CVE-2021-38588 | Aug 11, 2021 |
In cPanel before 96.0.13In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587). |
Cpanel
|
| CVE-2021-38590 | Aug 11, 2021 |
In cPanel before 96.0.8, weak permissions on web statsIn cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584). |
Cpanel
|
| CVE-2021-38587 | Aug 11, 2021 |
In cPanel before 96.0.13In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586). |
Cpanel
|
| CVE-2021-38586 | Aug 11, 2021 |
In cPanel before 98.0.1In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589). |
Cpanel
|