Description
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
Published: 2026-05-13
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper sanitization of the status query parameter on the /unprotected/nova_error endpoint, allowing an unauthenticated attacker to inject arbitrary HTTP headers into the server’s response. This flaw—classified under CWE‑93—enables the attacker to manipulate response headers, potentially facilitating phishing, session hijacking, or other information‑disclosure attacks by altering client‑side behavior.

Affected Systems

The affected systems are WebPros WP Squared and WebPros cPanel (WHM). No specific version information is provided in the available data, so all installations of these products should be considered potentially vulnerable until confirmed patched or assessed.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that exploitation likelihood is not well known but remains a concern. Because the endpoint is unprotected and authentication is not required, an attacker only needs to send a crafted HTTP request over the network to exploit the flaw. Successful exploitation could allow arbitrary header injection, which may serve as a vector for further attacks.

Generated by OpenCVE AI on May 13, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the WebPros website for a security update that addresses the header sanitization flaw and apply the patch to all affected cPanel installations.
  • If a patch is not yet available, limit exposure by disabling or restricting access to the /unprotected/nova_error endpoint through firewall rules or access control lists.
  • Implement server‑side validation or sanitization for the status parameter to prevent injection of characters that could form HTTP headers.

Generated by OpenCVE AI on May 13, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros cpanel
Webpros wp Squared
Vendors & Products Webpros
Webpros cpanel
Webpros wp Squared

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Webpros Cpanel Wp Squared
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-14T13:12:33.758Z

Reserved: 2026-03-17T15:00:07.746Z

Link: CVE-2026-32993

cve-icon Vulnrichment

Updated: 2026-05-14T13:12:27.595Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T22:16:43.143

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-32993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T00:30:07Z

Weaknesses