cPanel
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in cPanel.
By the Year
In 2025 there have been 0 vulnerabilities in cPanel. Cpanel did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 6.10 |
| 2022 | 0 | 0.00 |
| 2021 | 10 | 6.91 |
| 2020 | 42 | 7.27 |
| 2019 | 125 | 5.51 |
| 2018 | 1 | 6.10 |
It may take a day or so for new Cpanel vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent cPanel Security Vulnerabilities
An issue was discovered in cPanel before 11.109.9999.116
CVE-2023-29489
6.1 - Medium
- April 27, 2023
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
XSS
In cPanel before 96.0.13
CVE-2021-38589
8.1 - High
- August 11, 2021
In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588).
In cPanel before 96.0.8, weak permissions on web stats
CVE-2021-38590
5.5 - Medium
- August 11, 2021
In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584).
Incorrect Permission Assignment for Critical Resource
The WHM Locale Upload feature in cPanel before 98.0.1
CVE-2021-38584
7.2 - High
- August 11, 2021
The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
XXE
The WHM Locale Upload feature in cPanel before 98.0.1
CVE-2021-38585
7.2 - High
- August 11, 2021
The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
Marshaling, Unmarshaling
In cPanel before 98.0.1
CVE-2021-38586
4.4 - Medium
- August 11, 2021
In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589).
In cPanel before 96.0.13
CVE-2021-38587
7.5 - High
- August 11, 2021
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
Race Condition
In cPanel before 96.0.13
CVE-2021-38588
8.1 - High
- August 11, 2021
In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587).
Download of Code Without Integrity Check
cPanel before 94.0.3
CVE-2021-31803
6.1 - Medium
- April 26, 2021
cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581).
XSS
cPanel before 92.0.9
CVE-2021-26267
7.5 - High
- January 26, 2021
cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).
cPanel before 92.0.9
CVE-2021-26266
7.5 - High
- January 26, 2021
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
cPanel before 90.0.17
CVE-2020-29137
6.1 - Medium
- November 27, 2020
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
XSS
In cPanel before 90.0.17, 2FA can be bypassed
CVE-2020-29136
6.5 - Medium
- November 27, 2020
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
Improper Restriction of Excessive Authentication Attempts
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).
CVE-2020-29135
4.1 - Medium
- November 27, 2020
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).
Injection
cPanel before 90.0.10
CVE-2020-26115
6.1 - Medium
- September 25, 2020
cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574).
XSS
cPanel before 90.0.10
CVE-2020-26114
6.1 - Medium
- September 25, 2020
cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573).
XSS
cPanel before 90.0.10
CVE-2020-26113
6.1 - Medium
- September 25, 2020
cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569).
XSS
The email quota cache in cPanel before 90.0.10
CVE-2020-26112
7.5 - High
- September 25, 2020
The email quota cache in cPanel before 90.0.10 allows overwriting of files.
cPanel before 90.0.10
CVE-2020-26111
6.1 - Medium
- September 25, 2020
cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566).
XSS
cPanel before 88.0.13
CVE-2020-26110
6.1 - Medium
- September 25, 2020
cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564).
XSS
cPanel before 88.0.13 allows bypass of a protection mechanism
CVE-2020-26109
7.5 - High
- September 25, 2020
cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).
cPanel before 88.0.13 mishandles file-extension dispatching
CVE-2020-26108
9.8 - Critical
- September 25, 2020
cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).
cPanel before 88.0.3
CVE-2020-26107
7.5 - High
- September 25, 2020
cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561).
Inadequate Encryption Strength
cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).
CVE-2020-26106
7.5 - High
- September 25, 2020
cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558).
Insertion of Sensitive Information into Log File
In cPanel before 88.0.3
CVE-2020-26105
9.8 - Critical
- September 25, 2020
In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).
Insufficiently Protected Credentials
In cPanel before 88.0.3
CVE-2020-26104
7.5 - High
- September 25, 2020
In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552).
Insecure Storage of Sensitive Information
In cPanel before 88.0.3
CVE-2020-26103
7.5 - High
- September 25, 2020
In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).
Weak Password Requirements
In cPanel before 88.0.3
CVE-2020-26102
7.5 - High
- September 25, 2020
In cPanel before 88.0.3, an insecure auth policy API key is used by Dovecot on a templated VM (SEC-550).
AuthZ
In cPanel before 88.0.3
CVE-2020-26101
9.8 - Critical
- September 25, 2020
In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).
Insufficiently Protected Credentials
chsh in cPanel before 88.0.3
CVE-2020-26100
9.8 - Critical
- September 25, 2020
chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497).
cPanel before 88.0.3
CVE-2020-26099
7.5 - High
- September 25, 2020
cPanel before 88.0.3 allows attackers to bypass the SMTP greylisting protection mechanism (SEC-491).
cPanel before 88.0.3 mishandles the Exim filter path
CVE-2020-26098
9.8 - Critical
- September 25, 2020
cPanel before 88.0.3 mishandles the Exim filter path, leading to remote code execution (SEC-485).
cPanel before 86.0.14
CVE-2020-12785
8.1 - High
- May 11, 2020
cPanel before 86.0.14 allows attackers to obtain access to the current working directory via the account backup feature (SEC-540).
AuthZ
cPanel before 86.0.14
CVE-2020-12784
5.3 - Medium
- May 11, 2020
cPanel before 86.0.14 allows remote attackers to trigger a bandwidth suspension via mail log strings (SEC-505).
Improper Input Validation
cPanel before 84.0.20
CVE-2020-10114
6.1 - Medium
- March 17, 2020
cPanel before 84.0.20 allows stored self-XSS via the HTML file editor (SEC-535).
XSS
cPanel before 82.0.18
CVE-2019-20490
8.8 - High
- March 17, 2020
cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499).
cPanel before 82.0.18
CVE-2019-20492
8.8 - High
- March 17, 2020
cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516).
cPanel before 82.0.18
CVE-2019-20493
6.1 - Medium
- March 17, 2020
cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520).
XSS
In cPanel before 82.0.18, Cpanel::Rand::Get
CVE-2019-20494
3.3 - Low
- March 17, 2020
In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525).
Improper Input Validation
cPanel before 82.0.18
CVE-2019-20495
6.5 - Medium
- March 17, 2020
cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531).
Information Disclosure
cPanel before 82.0.18
CVE-2019-20496
5.5 - Medium
- March 17, 2020
cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532).
cPanel before 82.0.18
CVE-2019-20498
9.8 - Critical
- March 17, 2020
cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534).
cPanel before 84.0.20
CVE-2020-10122
6.5 - Medium
- March 17, 2020
cPanel before 84.0.20 allows a webmail or demo account to delete arbitrary files (SEC-547).
Improper Input Validation
cPanel before 84.0.20
CVE-2020-10121
9.8 - Critical
- March 17, 2020
cPanel before 84.0.20 allows a demo account to achieve code execution via PassengerApps APIs (SEC-546).
cPanel before 84.0.20
CVE-2020-10120
7.2 - High
- March 17, 2020
cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545).
AuthZ
cPanel before 84.0.20
CVE-2020-10119
9.8 - Critical
- March 17, 2020
cPanel before 84.0.20 allows a demo account to achieve remote code execution via a cpsrvd rsync shell (SEC-544).
cPanel before 84.0.20
CVE-2020-10118
9.1 - Critical
- March 17, 2020
cPanel before 84.0.20 allows a demo account to modify files via Branding API calls (SEC-543).
cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).
CVE-2020-10117
9.1 - Critical
- March 17, 2020
cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).
AuthZ
cPanel before 82.0.18
CVE-2019-20497
5.4 - Medium
- March 17, 2020
cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533).
XSS
cPanel before 84.0.20
CVE-2020-10116
5.3 - Medium
- March 17, 2020
cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).
AuthZ
