Description
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
Published: 2026-05-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to elevate privileges, possibly to root, by exploiting improper handling of Redis enable/disable commands in the LiteSpeed User‑End cPanel Plugin before version 2.4.5. Detection is performed by searching for the keyword 'cpanel_jsonapi_func=redisAble' in cPanel logs; absence of the string indicates no exploitation, while its presence suggests the plugin’s Redis feature was abused. The flaw is a CWE‑266 privilege‑escalation vulnerability that was actively exploited in May 2026.

Affected Systems

Affected products include the LiteSpeed Technologies cPanel Plugin before version 2.4.5 and the LiteSpeed WHM PlugIn before version 5.2.10. Users should verify that their cPanel installation is version 2.4.5 or newer, and that the WHM PlugIn is at least version 5.2.10.

Risk and Exploitability

The CVSS score is 10.0, reflecting critical severity. The EPSS score is <1%, indicating a low exploitation probability, yet the vulnerability has been actively exploited in May 2026 and is not listed in the CISA KEV catalog. The direct attack vector is not explicitly defined in the vendor notes, but detection via logs suggests that the exploit requires an attacker to trigger or observe the plugin’s Redis commands, which could be achieved through a compromised cPanel session or a script that invokes the API. Given the high severity and active exploitation, the risk to systems remains extreme.

Generated by OpenCVE AI on May 21, 2026 at 18:54 UTC.

Remediation

Vendor Solution

Installation of LiteSpeed WHM PlugIn 5.3.1.0 and cPanel 2.4.7.  Though installation of WHM 5.2.10 and cPanel 2.4.5 and above mitigate most of the issues.

OpenCVE Recommended Actions

  • Upgrade the LiteSpeed cPanel Plugin to version 2.4.7 and the WHM PlugIn to 5.3.1.0.
  • Run "grep -rE 'cpanel_jsonapi_func=redisAble' /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null" to locate suspicious activity and block offending IP addresses.
  • Review system logs for unauthorized privilege escalation or root execution attempts.
  • Apply any subsequent patch or update to the cPanel plugin as soon as it becomes available to maintain security.

Generated by OpenCVE AI on May 21, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Redis API in LiteSpeed cPanel Plugin

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Litespeed Technologies
Litespeed Technologies cpanel Plugin
Vendors & Products Litespeed Technologies
Litespeed Technologies cpanel Plugin

Thu, 21 May 2026 03:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Redis API in LiteSpeed cPanel Plugin

Thu, 21 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features.
Weaknesses CWE-266
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Litespeed Technologies Cpanel Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-21T18:09:29.784Z

Reserved: 2026-05-21T00:38:03.845Z

Link: CVE-2026-48172

cve-icon Vulnrichment

Updated: 2026-05-21T12:46:02.557Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T02:16:33.760

Modified: 2026-05-21T18:16:17.340

Link: CVE-2026-48172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T19:00:14Z

Weaknesses