Description
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Published: 2026-05-08
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by insufficient validation of the file name supplied to the feature::LOADFEATUREFILE administration API call. Passing a relative file path can allow an attacker to read any file that the cPanel process can access. This path traversal flaw (CWE‑23) enables arbitrary file read but the potential for further exploitation is not specified in the advisory.

Affected Systems

The issue affects WebPros products, specifically cPanel, including the WP Squared dashboard, as well as cPanel running on CentOS 6 and CloudLinux 6. No specific version numbers are listed, so any installation of these products remains a potential risk until a patch is applied.

Risk and Exploitability

The CVSS score is 8.6, and the EPSS probability is < 1%. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker must have access to the feature::LOADFEATUREFILE endpoint, implying an authenticated admin API as the attack vector. The practical likelihood of exploitation depends on the exposure of the admin API and the privileges of the attacker.

Generated by OpenCVE AI on May 13, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest cPanel security update for CVE-2026-29201 released by WebPros.
  • If the feature::LOADFEATUREFILE API is not required, disable it or restrict access to trusted administrators and IP addresses.
  • Enforce file system isolation for the cPanel process, such as chroot or containerization, to limit access to non‑essential files.

Generated by OpenCVE AI on May 13, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Insufficient File Name Validation in cPanel Load Feature API Enables Arbitrary File Read

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Tue, 12 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title Insufficient File Name Validation in cPanel Load Feature API Enables Arbitrary File Read

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` AdminBin call can cause arbitrary file read when a relative file path is passed. Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Weaknesses CWE-23

Tue, 12 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Arbitrary File Read via Feature File Name Validation in cPanel Admin API

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` AdminBin call can cause arbitrary file read when a relative file path is passed.

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros cpanel
Webpros cpanel (centos 6, Cloudlinux 6)
Webpros wp Squared
Vendors & Products Webpros
Webpros cpanel
Webpros cpanel (centos 6, Cloudlinux 6)
Webpros wp Squared

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Read via Feature File Name Validation in cPanel Administration API Arbitrary File Read via Feature File Name Validation in cPanel Admin API

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Arbitrary File Read via Feature File Name Validation in cPanel Administration API

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Weaknesses CWE-20
References

Subscriptions

Webpros Cpanel Cpanel (centos 6, Cloudlinux 6) Wp Squared
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-13T21:59:09.469Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29201

cve-icon Vulnrichment

Updated: 2026-05-08T19:52:31.187Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T19:16:29.930

Modified: 2026-05-13T22:16:42.497

Link: CVE-2026-29201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:30:06Z

Weaknesses
  • CWE-23

    Relative Path Traversal