Description
Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
Published: 2026-05-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An error in privilege handling and inadequate path validation allows an attacker to read any file on the server when requesting attachments through the cpdavd download endpoints. The flaw can expose sensitive configuration files, credentials, or application data, thereby compromising confidentiality and potentially enabling further exploitation. The weakness is identified as a privilege escalation flaw (CWE‑250).

Affected Systems

The vulnerability affects WebPros’ WP Squared and cPanel products. Versions are not explicitly enumerated in the advisory, so any installation of these products is potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity level. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, meaning an exploit is not yet confirmed in the wild. The likely attack vector is a web‑based request to the cpdavd endpoint, possibly requiring valid authentication but not guaranteed to be unauthenticated. Because the flaw permits arbitrary file reads, an attacker could exfiltrate data or pivot to further attacks if other vulnerabilities exist.

Generated by OpenCVE AI on May 13, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest cPanel security update that addresses CVE‑2026‑29205 via the official support channel.
  • If an update is not yet available, limit traffic to the cpdavd endpoints by configuring the web server or firewall to allow only trusted IP addresses or enforce strict authentication.
  • Reconfigure file access permissions so that the cpdavd service can only serve files from verified upload directories and deny open path traversal attempts.

Generated by OpenCVE AI on May 13, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros cpanel
Webpros wp Squared
Wordpress
Wordpress wordpress
Vendors & Products Webpros
Webpros cpanel
Webpros wp Squared
Wordpress
Wordpress wordpress

Wed, 13 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title File Disclosure via cpdavd Attachment Download Endpoint

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
Weaknesses CWE-250
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Webpros Cpanel Wp Squared
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-14T13:13:52.380Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29205

cve-icon Vulnrichment

Updated: 2026-05-14T13:13:43.295Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T22:16:42.817

Modified: 2026-05-14T18:30:57.103

Link: CVE-2026-29205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T02:00:09Z

Weaknesses