Description
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Published: 2026-05-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated system user can supply an arbitrary value for the `plugin` parameter in the cPanel create_user plugin, which the plugin does not properly validate. This flaw allows execution of arbitrary Perl code in the context of the cPanel account, potentially compromising the entire system. The weakness is a classic input validation defect identified by CWE‑20, and it directly impacts the confidentiality, integrity, and availability of the affected host.

Affected Systems

The vulnerability is found in WebPros cPanel, including installations on CentOS 6 and CloudLinux 6. The WP Squared component, which integrates with the create_user plugin, is also affected. The specific affected products are cPanel versions that have not applied the missing input validation fix; exact version details are not supplied.

Risk and Exploitability

The flaw requires the attacker to have a valid authenticated cPanel session with access to the create_user interface. No exploitation details are disclosed beyond the parameter injection, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. With no EPSS score available, the likelihood of real‑world exploitation is uncertain, but the impact of arbitrary code execution poses a high threat when combined with the CVSS score of 8.8, indicating high severity, if the advisory is accepted.

Generated by OpenCVE AI on May 8, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest cPanel patch or update to a version that contains the input validation fix for the create_user plugin.
  • If an update is not immediately possible, disable or remove the vulnerable create_user plugin until a patched version is available.
  • Monitor cPanel logs for unusual plugin parameter usage and consider implementing web filter rules to block unexpected Perl code injection attempts.

Generated by OpenCVE AI on May 8, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Arbitrary Perl Code Execution via Unvalidated Plugin Parameter in cPanel create_user

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-09T03:56:06.386Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29202

cve-icon Vulnrichment

Updated: 2026-05-08T19:21:45.443Z

cve-icon NVD

Status : Received

Published: 2026-05-08T19:16:30.047

Modified: 2026-05-08T20:16:29.867

Link: CVE-2026-29202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:30:05Z

Weaknesses