Cpanel cPanel

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in cPanel.

By the Year

In 2025 there have been 0 vulnerabilities in cPanel. Cpanel did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 0 0.00
2023 1 6.10
2022 0 0.00
2021 10 6.91
2020 42 7.27
2019 125 5.51
2018 1 6.10

It may take a day or so for new Cpanel vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent cPanel Security Vulnerabilities

An issue was discovered in cPanel before 11.109.9999.116

CVE-2023-29489 6.1 - Medium - April 27, 2023

An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

XSS

In cPanel before 96.0.13

CVE-2021-38589 8.1 - High - August 11, 2021

In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).

In cPanel before 96.0.8, weak permissions on web stats

CVE-2021-38590 5.5 - Medium - August 11, 2021

In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).

Incorrect Permission Assignment for Critical Resource

The WHM Locale Upload feature in cPanel before 98.0.1

CVE-2021-38584 7.2 - High - August 11, 2021

The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).

XXE

The WHM Locale Upload feature in cPanel before 98.0.1

CVE-2021-38585 7.2 - High - August 11, 2021

The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).

Marshaling, Unmarshaling

In cPanel before 98.0.1

CVE-2021-38586 4.4 - Medium - August 11, 2021

In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).

In cPanel before 96.0.13

CVE-2021-38587 7.5 - High - August 11, 2021

In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).

Race Condition

In cPanel before 96.0.13

CVE-2021-38588 8.1 - High - August 11, 2021

In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).

Download of Code Without Integrity Check

cPanel before 94.0.3

CVE-2021-31803 6.1 - Medium - April 26, 2021

cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).

XSS

cPanel before 92.0.9

CVE-2021-26267 7.5 - High - January 26, 2021

cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).

cPanel before 92.0.9

CVE-2021-26266 7.5 - High - January 26, 2021

cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).

cPanel before 90.0.17

CVE-2020-29137 6.1 - Medium - November 27, 2020

cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).

XSS

In cPanel before 90.0.17, 2FA can be bypassed

CVE-2020-29136 6.5 - Medium - November 27, 2020

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).

Improper Restriction of Excessive Authentication Attempts

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).

CVE-2020-29135 4.1 - Medium - November 27, 2020

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).

Injection

cPanel before 90.0.10

CVE-2020-26115 6.1 - Medium - September 25, 2020

cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).

XSS

cPanel before 90.0.10

CVE-2020-26114 6.1 - Medium - September 25, 2020

cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).

XSS

cPanel before 90.0.10

CVE-2020-26113 6.1 - Medium - September 25, 2020

cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).

XSS

The email quota cache in cPanel before 90.0.10

CVE-2020-26112 7.5 - High - September 25, 2020

The email quota cache in cPanel before 90.0.10 allows overwriting of files.

cPanel before 90.0.10

CVE-2020-26111 6.1 - Medium - September 25, 2020

cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).

XSS

cPanel before 88.0.13

CVE-2020-26110 6.1 - Medium - September 25, 2020

cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564).

XSS

cPanel before 88.0.13 allows bypass of a protection mechanism

CVE-2020-26109 7.5 - High - September 25, 2020

cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).

cPanel before 88.0.13 mishandles file-extension dispatching

CVE-2020-26108 9.8 - Critical - September 25, 2020

cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).

cPanel before 88.0.3

CVE-2020-26107 7.5 - High - September 25, 2020

cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).

Inadequate Encryption Strength

cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).

CVE-2020-26106 7.5 - High - September 25, 2020

cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).

Insertion of Sensitive Information into Log File

In cPanel before 88.0.3

CVE-2020-26105 9.8 - Critical - September 25, 2020

In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).

Insufficiently Protected Credentials

In cPanel before 88.0.3

CVE-2020-26104 7.5 - High - September 25, 2020

In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552).

Insecure Storage of Sensitive Information

In cPanel before 88.0.3

CVE-2020-26103 7.5 - High - September 25, 2020

In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).

Weak Password Requirements

In cPanel before 88.0.3

CVE-2020-26102 7.5 - High - September 25, 2020

In cPanel before 88.0.3, an insecure auth policy API key is used by Dovecot on a templated VM (SEC-550).

AuthZ

In cPanel before 88.0.3

CVE-2020-26101 9.8 - Critical - September 25, 2020

In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).

Insufficiently Protected Credentials

chsh in cPanel before 88.0.3

CVE-2020-26100 9.8 - Critical - September 25, 2020

chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497).

cPanel before 88.0.3

CVE-2020-26099 7.5 - High - September 25, 2020

cPanel before 88.0.3 allows attackers to bypass the SMTP greylisting protection mechanism (SEC-491).

cPanel before 88.0.3 mishandles the Exim filter path

CVE-2020-26098 9.8 - Critical - September 25, 2020

cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).

cPanel before 86.0.14

CVE-2020-12785 8.1 - High - May 11, 2020

cPanel before 86.0.14 allows attackers to obtain access to the current working directory via the account backup feature (SEC-540).

AuthZ

cPanel before 86.0.14

CVE-2020-12784 5.3 - Medium - May 11, 2020

cPanel before 86.0.14 allows remote attackers to trigger a bandwidth suspension via mail log strings (SEC-505).

Improper Input Validation

cPanel before 84.0.20

CVE-2020-10114 6.1 - Medium - March 17, 2020

cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).

XSS

cPanel before 82.0.18

CVE-2019-20490 8.8 - High - March 17, 2020

cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).

cPanel before 82.0.18

CVE-2019-20492 8.8 - High - March 17, 2020

cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).

cPanel before 82.0.18

CVE-2019-20493 6.1 - Medium - March 17, 2020

cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).

XSS

In cPanel before 82.0.18, Cpanel::Rand::Get

CVE-2019-20494 3.3 - Low - March 17, 2020

In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).

Improper Input Validation

cPanel before 82.0.18

CVE-2019-20495 6.5 - Medium - March 17, 2020

cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531).

Information Disclosure

cPanel before 82.0.18

CVE-2019-20496 5.5 - Medium - March 17, 2020

cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532).

cPanel before 82.0.18

CVE-2019-20498 9.8 - Critical - March 17, 2020

cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).

cPanel before 84.0.20

CVE-2020-10122 6.5 - Medium - March 17, 2020

cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547).

Improper Input Validation

cPanel before 84.0.20

CVE-2020-10121 9.8 - Critical - March 17, 2020

cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546).

cPanel before 84.0.20

CVE-2020-10120 7.2 - High - March 17, 2020

cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545).

AuthZ

cPanel before 84.0.20

CVE-2020-10119 9.8 - Critical - March 17, 2020

cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).

cPanel before 84.0.20

CVE-2020-10118 9.1 - Critical - March 17, 2020

cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).

cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).

CVE-2020-10117 9.1 - Critical - March 17, 2020

cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).

AuthZ

cPanel before 82.0.18

CVE-2019-20497 5.4 - Medium - March 17, 2020

cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).

XSS

cPanel before 84.0.20

CVE-2020-10116 5.3 - Medium - March 17, 2020

cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).

AuthZ

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for cPanel or by cPanel? Click the Watch button to subscribe.

cPanel
Vendor

cPanel
Product

subscribe