Description
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
Published: 2026-05-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The sqloptimizer utility script in cPanel and related WebPros products fails to properly sanitize SQL queries, permitting a privileged SQL injection that executes under the root account when Slow Query logging is active. This vulnerability enables an attacker to run arbitrary SQL commands with root privileges, potentially compromising confidentiality, integrity, and availability of the system’s database layer.

Affected Systems

The flaw affects WebPros’ WP Squared, cPanel, and cPanel installations on CloudLinux 6 and CentOS 6. No specific version ranges are enumerated in the advisory, so any deployment of these products may be susceptible until a patch is applied.

Risk and Exploitability

With a CVSS score of 8.1 the risk is defined as high; the EPSS score is not available, so current exploitation probability remains uncertain. The anomaly is not listed in CISA’s KEV catalog, but the root‑level nature of the attack vector means exploitation would have severe consequences if an attacker can leverage the disabled Slow Query logging feature. The likely attack requires local privileged access or the ability to influence the logging process, possibly through the web interface or configuration files. Should the vulnerability be exploited, the attacker could execute destructive commands as root, leading to total system compromise.

Generated by OpenCVE AI on May 13, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update cPanel and WP Squared to the latest releases that address the sqloptimizer injection flaw if a vendor patch is available.
  • If an immediate patch is not feasible, disable Slow Query logging in cPanel’s configuration to eliminate the vulnerable execution path.
  • Verify database accounts follow the principle of least privilege and audit root‑level scripts for unexpected queries.

Generated by OpenCVE AI on May 13, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros cpanel
Webpros cpanel (cloudlinux 6, Centos 6)
Webpros wp Squared
Vendors & Products Webpros
Webpros cpanel
Webpros cpanel (cloudlinux 6, Centos 6)
Webpros wp Squared

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title SQL Injection via sqloptimizer in cPanel when Slow Query logging is enabled

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Webpros Cpanel Cpanel (cloudlinux 6, Centos 6) Wp Squared
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-14T13:55:12.266Z

Reserved: 2026-03-04T15:00:09.267Z

Link: CVE-2026-29206

cve-icon Vulnrichment

Updated: 2026-05-14T13:55:09.000Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T23:16:42.477

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-29206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:06Z

Weaknesses