Description
SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
Published: 2026-05-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the DNS Cluster system of WebPros cPanel and WP Squared where SSL certificate verification has been disabled. This weakness, identified as CWE‑295, permits an attacker to intercept and alter traffic between the client and the server. By compromising the SSL validation process, an attacker could further read or modify transmitted data, exposing authentication credentials and other sensitive information. The impact therefore includes potential confidentiality breach and unauthorized control over user sessions.

Affected Systems

The affected products are WebPros cPanel and WP Squared. No specific version numbers are listed in the available data, so all current installations of these products are potentially impacted until a patched version is deployed.

Risk and Exploitability

The CVSS score of 8.2 reflects a high severity, and the EPSS score is not available, which means the current exploitation likelihood is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network compromise involving the DNS Cluster; an attacker who can influence DNS traffic or gain control of the DNS Cluster configuration can inject forged SSL certificates to perform a man‑in‑the‑middle attack. The absence of SSL verification removes the primary integrity and authenticity checks, enabling credential theft if the attacker gains appropriate network access.

Generated by OpenCVE AI on May 13, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the cPanel security update released on May 13 2026 from the vendor’s support site
  • Verify that the DNS Cluster configuration now requires SSL/TLS certificate verification for all inbound and outbound connections
  • Continuously monitor DNS traffic for anomalous changes or unauthorized certificate usage, and employ network intrusion detection tools to detect potential MITM attempts

Generated by OpenCVE AI on May 13, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros cpanel
Webpros wp Squared
Vendors & Products Webpros
Webpros cpanel
Webpros wp Squared

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Webpros Cpanel Wp Squared
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-14T13:13:06.565Z

Reserved: 2026-03-17T15:00:07.746Z

Link: CVE-2026-32992

cve-icon Vulnrichment

Updated: 2026-05-14T13:13:02.990Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T22:16:43.010

Modified: 2026-05-14T18:30:57.103

Link: CVE-2026-32992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T00:00:07Z

Weaknesses