Symlink Handling Flaw in LiteSpeed cPanel Plugin <2.4.8 (WHM PlugIn <5.3.2.0)
CVE-2026-54420 Published on June 14, 2026
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
Known Exploited Vulnerability
This LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.
The following remediation steps are recommended / required by June 18, 2026: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicab
Vulnerability Analysis
CVE-2026-54420 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Symlink following Vulnerability?
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
CVE-2026-54420 has been classified to as a Symlink following vulnerability or weakness.
Affected Versions
LiteSpeed Technologies cPanel Plugin:- Version 2.3 and below 2.4.8 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.