The Short Version:

  • Five new cPanel CVEs patched on May 13 (CVE-2026-29205 through CVE-2026-32993), CVSS scores up to 8.6
  • Security researcher Shubham Shah (@infosec_au) reported within hours that the fix for CVE-2026-29205 is incomplete; restrict ports 2079 and 2080 as interim mitigation
  • WHMCS patched a separate authorization bypass (CVE-2026-29204) one day earlier
  • cPanel publicly described its release cadence going forward as weekly
  • Third cPanel patch cycle in fifteen days; nine cPanel CVEs across April 28, May 8, and May 13

The May 12-13 window produced two security releases from products under the WebPros umbrella. On May 12, WHMCS released versions 8.13.3 and 9.0.4 to address CVE-2026-29204, an authorization bypass affecting all earlier WHMCS 8.x and 9.x releases. On May 13 at 1:00pm EST, cPanel and WHM released patches for five additional CVEs: CVE-2026-29205, CVE-2026-29206, CVE-2026-32991, CVE-2026-32992, and CVE-2026-32993. Within hours of the cPanel release, security researcher Shubham Shah (@infosec_au) publicly stated that the fix for CVE-2026-29205 is incomplete, and that all cPanel instances remain exploitable until a working patch is released.

Separately, a cPanel staff member posting on the r/cpanel community on May 13 described the company’s near-term posture as “a weekly security release from cPanel while we work through our systems and patch up anything we can find.” The pace is consistent with the public timeline: April 28, May 8, May 13, with another release expected within seven days.

The cPanel May 13 Release in Detail

The five May 13 CVEs span five distinct vulnerability classes, with the National Vulnerability Database showing CVSS scores rated up to 8.6 (High). The breakdown:

  • CVE-2026-29205 (CVSS 8.6, High): Incorrect privileges management and insufficient path filtering in cpdavd attachment download endpoints allow reading arbitrary files without authentication. This is the pre-authentication arbitrary file read whose patch was reported as incomplete within hours of release (see below).
  • CVE-2026-29206 (CVSS 8.1, High): SQL injection in the sqloptimizer utility script. Insufficient sanitization allows SQL injection with root privileges when slow query logging is active. Requires user interaction.
  • CVE-2026-32991 (CVSS 7.1, High): Improper authorization checks allow team members to escalate to team owner privileges. Relevant to multi-tenant environments using cPanel’s Team Manager.
  • CVE-2026-32992 (CVSS 8.2, High): SSL verification disabled in the DNS Cluster system. An attacker positioned as a man-in-the-middle on a DNS Cluster connection can intercept and capture credentials.
  • CVE-2026-32993 (CVSS 8.3, High): CRLF injection in the /unprotected/nova_error endpoint allows unauthenticated header injection. This is the same vulnerability class as CVE-2026-41940, the April 28 pre-auth bypass that produced the .sorry ransomware campaign.

The patched version targets cover the major supported cPanel release lines: 11.86.0.44, 11.94.0.31, 11.102.0.42, 11.110.0.118, 11.118.0.67, 11.124.0.38, 11.126.0.59, 11.130.0.23, 11.132.0.32, 11.134.0.26, and 11.136.0.10. The manual update path is /scripts/upcp. CloudLinux 6 users are again directed to set the update tier to the cl6110 branch before manual update.

The patch series also covers WP Squared (WP2), WebPros’ specialized WordPress hosting platform that runs on top of cPanel and WHM. WP2 receives coordinated patches alongside the base cPanel release, with patched versions in the 11.136 WP2 line. The product, launched at CloudFest 2024, has been treated by WebPros as a distinct CVE-bearing product since CVE-2026-41940, which explicitly listed both cPanel/WHM and WP2 as affected. For hosting providers running WP Squared as their managed WordPress offering, the May 13 update applies to that environment as well, not only to base cPanel installations.

Three cPanel Patches and DirtyFrag Fixes in One Day. Here Is Where Things Stand.

The Incomplete Patch for CVE-2026-29205

Security researcher Shubham Shah (@infosec_au), posting publicly within hours of the cPanel release, stated that version 11.134.0.26 does not fully close CVE-2026-29205. Shah’s position, in his own words: “Publishing research on this CVE right now is not the right call since it is still exploitable on all cPanel instances. The WebPro’s team is receiving an influx of submissions, and the right call for both the ecosystem and for the research, is to wait for a working patch.”

The interim mitigation Shah is recommending is to restrict access to TCP ports 2079 and 2080. The full exploit chain depends on reaching those ports, and blocking them at the firewall breaks the chain at the cost of some email-related functionality. For operators who cannot afford to wait for a complete patch, that port restriction is currently the most reliable available control.

WebPros has not publicly confirmed or contested Shah’s characterization at the time of writing. The standard cPanel update mechanism remains the path for any follow-up release into the 11.134.0.27 (or higher) version channel.

WHMCS CVE-2026-29204, One Day Earlier

WHMCS, the dominant billing and automation platform for the cPanel hosting ecosystem and also a WebPros product, released versions 8.13.3 and 9.0.4 on May 12 to address CVE-2026-29204. The vulnerability is an authorization bypass that allows authenticated users to access accounts and services that should not be visible to them. WHMCS published its advisory on the official help documentation site.

For hosting providers running both cPanel and WHMCS, which is the standard stack for managed shared hosting and reseller operations, the two-day window produced two distinct upgrade actions across two products from the same parent company. The combined operational load on the WebPros customer base for these two days was substantial, and operator discussion on community channels reflects the strain.

cPanel Is Patching Three New CVEs Today. Technical Details Come With the Fix.

Weekly Releases as the Stated Posture

cPanel’s official advance notification email for the May 13 release contained the line: “You will hear from us more frequently as our processes evolve. This is intentional. We believe clear, timely communication is part of how we keep you protected.” That language signals a cadence change without committing to a specific frequency in the corporate communication.

On the r/cpanel community thread following the May 13 release, the cPanel staff account known as cPanelRex went further, posting: “For the time being, I would plan on there being a weekly security release from cPanel while we work through our systems and patch up anything we can find. We’re being proactive instead of reactive as much as we possible can.” The framing the same poster used for the underlying pace was that “every system is getting reviewed because the bots are faster than people” with reference to recent disclosure cycles at other major projects including Firefox.

The distinction between corporate language (“more frequently”) and the staff posting on Reddit (“weekly”) matters less than the converging signal: cPanel is publicly stating, in multiple channels, that the release cadence operators experienced through April and into May is the cadence to plan for, not a temporary surge.

The trade-off is worth naming explicitly. CVE-2026-41940 was actively exploited for an estimated 64 days before disclosure on April 28, with Shadowserver tracking at least 44,000 compromised IP addresses by the time the patch was available and the .sorry ransomware campaign that followed putting entire hosting providers into multi-week recovery. The weekly cadence cPanel is now committing to is the operational response designed to ensure that a 64-day exploitation window does not happen again. A patch event every week, however taxing the workflow load, is the configuration that prevents the next CVE-2026-41940. Operators who lived through that incident at its full scale are unlikely to argue against the principle, even where the implementation feels uncomfortable in any given week.

CVE-2026-41940 Live: cPanel Authentication Bypass, Active Exploitation, and What Comes Next

Three Weeks of Context

The period from April 28 through May 13 contains three distinct cPanel security release events:

  • April 28: CVE-2026-41940, the CVSS 9.8 pre-authentication bypass via CRLF injection. Exploited for an estimated 64 days before disclosure. Shadowserver tracking identified at least 44,000 IP addresses confirmed compromised. Censys identified 7,135 cPanel/WHM hosts with .sorry ransomware artifacts on disk.
  • May 8: CVE-2026-29201 (CVSS 4.3, arbitrary file read), CVE-2026-29202 (CVSS 8.8, Perl code execution via create_user API), and CVE-2026-29203 (CVSS 8.8, unsafe symlink handling). Patched with technical detail alongside the patch.
  • May 13: The five CVEs covered above. CVE-2026-29205 patch reported incomplete within hours.

That is nine cPanel CVEs across three release events in fifteen days, plus one WHMCS CVE in the same window. The first incident produced an active ransomware campaign. The second was handled cleanly. The third arrived with both a public commitment to maintain the pace and a published research finding that one of the five fixes is not yet adequate.

What the Operator Channels Are Saying

The r/cpanel community discussion under the May 13 release captures the operator-side experience. Comments include “Patched my cPanel twice last week, then the Linux exploit that was announced, plus the CloudLinux one. This is getting ridiculous,” and observations that the patch windows fall in the middle of the night across most timezones outside North America. One operator described setting an automated upcp to run 30 minutes after each announced release time as a workaround.

The two operational issues surfacing repeatedly in those threads are notification and verification. On notification, operators report finding out about cPanel security releases through Reddit rather than through official channels, particularly when their licenses come through resellers (a common configuration through OVH and other large hosters). cPanel staff have publicly committed to publishing a path for direct subscription to security alerts. On verification, the question of how operators confirm that their entire fleet has actually received and applied a given update within a reasonable window of release remains open, particularly as mirror sync and update tier timing varies.

One operator framed the architectural question that the weekly cadence raises: “Honestly we are at the point where the traditional model of notify, release, patch isn’t going to cut it. I feel like cPanel needs to start thinking about an immutable OS Core with the ability to push updates out for security at a moments notice. We need a paradigm shift if we are going to keep up with this bell curve.”

The cost of failing to keep up with this cadence is concrete. Skynethosting took its entire cPanel fleet offline on May 1 in response to CVE-2026-41940 and, as of May 12, some customer servers had been down for eleven days, with one reseller publicly reporting a 30 percent customer loss during the outage. That is one provider’s response to one of the three CVEs in this fifteen-day window. The weekly cadence cPanel has now publicly committed to does not increase the per-incident severity, but it does increase the frequency with which any provider’s incident response will be tested.

Whether cPanel moves in that direction, or whether the weekly release cadence is itself the response, will define how hosting providers running cPanel as core infrastructure plan their operations through the rest of 2026. The control panel that was previously a slow-moving, stable dependency is now, by its own publicly stated plan, going to ship security updates approximately every week. The WHMCS advisory one day earlier suggests the pattern extends across WebPros’ broader portfolio, not just cPanel itself.