Description
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Published: 2026-05-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is due to insufficient validation of the file name supplied to the feature::LOADFEATUREFILE administration API call. By submitting a relative file path, an attacker can read any file that the cPanel process can access. This can expose sensitive configuration files, credentials, or system logs, and constitutes an input validation flaw (CWE‑20).

Affected Systems

The issue affects WebPros products, specifically cPanel, including the WP Squared and WP2 dashboards, as well as cPanel running on CentOS 6 and CloudLinux 6. No specific version numbers are listed in the advisory, so any installation of these products remains a potential risk until a patch is applied.

Risk and Exploitability

The CVSS score is 4.3, and no EPSS data is available; the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker must possess administrative credentials to call the feature::LOADFEATUREFILE endpoint, implying an authenticated admin API as the attack vector. Because the endpoint is privileged, the practical likelihood of exploitation is moderate for sites with exposed or misconfigured admin APIs. The primary impact is disclosure of arbitrary files, which could enable further compromise or data exfiltration.

Generated by OpenCVE AI on May 8, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest cPanel security update for CVE-2026-29201 released by WebPros.
  • If the feature::LOADFEATUREFILE API is not required, disable it or restrict access to trusted administrators and IP addresses.
  • Enforce file system isolation for the cPanel process, such as chroot or containerization, to limit access to non‑essential files.

Generated by OpenCVE AI on May 8, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Read via Feature File Name Validation in cPanel Administration API Arbitrary File Read via Feature File Name Validation in cPanel Admin API

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Arbitrary File Read via Feature File Name Validation in cPanel Administration API

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-08T19:52:40.780Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29201

cve-icon Vulnrichment

Updated: 2026-05-08T19:52:31.187Z

cve-icon NVD

Status : Received

Published: 2026-05-08T19:16:29.930

Modified: 2026-05-08T20:16:29.727

Link: CVE-2026-29201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:00:15Z

Weaknesses