CVE 8.8 HIGH

CVE-2026-29202_CVE-2026-29202

May 8, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.

AI Analysis

Arbitrary Perl code execution due to insufficient input validation

Basic Information

ID CVE-2026-29202

Source hackerone

Published May 8, 2026 at 18:51

Modified May 8, 2026 at 19:21

Affected Product

Vendor WebPros

Product cPanel

Version 11.136.0.0

Affected Versions WebPros cPanel 11.136.0.0
WebPros cPanel 11.134.0.0
WebPros cPanel 11.132.0.0
WebPros cPanel 11.130.0.0
WebPros cPanel 11.126.0.0
WebPros cPanel 11.124.0.0
WebPros cPanel 11.118.0.0
WebPros cPanel 11.110.0.0
WebPros cPanel 11.110.0.0
WebPros cPanel 11.102.0.0
WebPros cPanel 11.94.0.0
WebPros cPanel 11.86.0.0
WebPros cPanel (CentOS 6, CloudLinux 6) 11.110.0.0
WebPros WP Sqaured 11.136.1.0

CWE Classification

CWE-20

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor WebPros

Product cPanel

Version 11.136.0.0, 11.134.0.0, 11.132.0.0, 11.130.0.0, 11.126.0.0, 11.124.0.0, 11.118.0.0, 11.110.0.0, 11.102.0.0, 11.94.0.0, 11.86.0.0

References

support.cpanel.net /hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026

{
    "lastseen": "",
    "description": "Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.",
    "published": "2026-05-08T18:51:05.585Z",
    "modified": "2026-05-08T19:21:50.287Z",
    "type": "cve",
    "title": "CVE-2026-29202",
    "source": "hackerone",
    "references": "https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026",
    "id": "CVE-2026-29202",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "WebPros cPanel 11.136.0.0\nWebPros cPanel 11.134.0.0\nWebPros cPanel 11.132.0.0\nWebPros cPanel 11.130.0.0\nWebPros cPanel 11.126.0.0\nWebPros cPanel 11.124.0.0\nWebPros cPanel 11.118.0.0\nWebPros cPanel 11.110.0.0\nWebPros cPanel 11.110.0.0\nWebPros cPanel 11.102.0.0\nWebPros cPanel 11.94.0.0\nWebPros cPanel 11.86.0.0\nWebPros cPanel (CentOS 6, CloudLinux 6) 11.110.0.0\nWebPros WP Sqaured 11.136.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cPanel",
    "version": "11.136.0.0",
    "vendor": "WebPros",
    "ai_description": "Arbitrary Perl code execution due to insufficient input validation",
    "ai_severity": "High",
    "ai_vendor": "WebPros",
    "ai_product": "cPanel",
    "ai_version": "11.136.0.0, 11.134.0.0, 11.132.0.0, 11.130.0.0, 11.126.0.0, 11.124.0.0, 11.118.0.0, 11.110.0.0, 11.102.0.0, 11.94.0.0, 11.86.0.0",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply