Description
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
Published: 2026-06-14
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LiteSpeed cPanel plugin misinterprets symbolic links created by an attacker with FTP or web shell access on a shared hosting environment running CloudLinux/CageFS. By placing a symlink that points to files outside the intended directory, the plugin can read or execute arbitrary files, potentially allowing an attacker to read sensitive system files or run arbitrary code on the server. This flaw is a path‑traversal vulnerability (CWE‑61).

Affected Systems

This issue affects LiteSpeed Technologies' cPanel plugin versions prior to v2.4.8, which are distributed as part of the LiteSpeed WHM PlugIn v5.3.1 and earlier. Users of these plugin versions on shared hosting servers that run CloudLinux/CageFS are in scope.

Risk and Exploitability

The CVSS score of 8.5 reflects a high severity vulnerability. Because the vulnerability requires the attacker to have FTP or web shell write access, it is limited to users who already operate within the hosting environment, but it can be leveraged for remote code execution once the symlink is in place. The EPSS score is not available, but the active exploitation of the vulnerability in May 2026 indicates a real threat. The vulnerability is not listed in CISA KEV.

Generated by OpenCVE AI on June 14, 2026 at 05:20 UTC.

Remediation

Vendor Solution

Upgrade to the LiteSpeed WHM PlugIn v5.3.2.0 or higher (which includes the cPanel PlugIn v2.4.8).

Vendor Workaround

Disable the cPanel PlugIn for LiteSpeed

OpenCVE Recommended Actions

  • Upgrade the LiteSpeed WHM PlugIn to version 5.3.2.0 or later, which includes the patched cPanel PlugIn v2.4.8.
  • If an upgrade is not immediately possible, disable the cPanel PlugIn for LiteSpeed to block the exploitation path.
  • Verify that the host environment enforces strict file permissions and limits symlink creation, and consider applying CloudLinux CageFS hardening measures.

Generated by OpenCVE AI on June 14, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Litespeed Technologies
Litespeed Technologies cpanel Plugin
Vendors & Products Litespeed Technologies
Litespeed Technologies cpanel Plugin

Sun, 14 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Symlink Manipulation Allowing Remote Code Execution in LiteSpeed cPanel Plugin

Sun, 14 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Litespeed Technologies Cpanel Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-14T03:23:12.863Z

Reserved: 2026-06-14T03:23:12.439Z

Link: CVE-2026-54420

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-14T04:16:28.630

Modified: 2026-06-14T04:16:28.630

Link: CVE-2026-54420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T06:15:06Z

Weaknesses
  • CWE-61

    UNIX Symbolic Link (Symlink) Following