CVE 8.8 HIGH

CVE-2026-29203_CVE-2026-29203

May 8, 2026 invoker category_cve
8.8 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

AI Analysis

Symlink vulnerability in cPanel Nova plugin allowing DoS or local privilege escalation

Basic Information

ID CVE-2026-29203
Source hackerone
Published May 8, 2026 at 18:51
Modified May 8, 2026 at 19:22

Affected Product

Vendor WebPros
Product cPanel
Version 11.136.0.0
Affected Versions WebPros cPanel 11.136.0.0
WebPros cPanel 11.134.0.0
WebPros cPanel 11.132.0.0
WebPros cPanel 11.130.0.0
WebPros cPanel 11.126.0.0
WebPros cPanel 11.124.0.0
WebPros cPanel 11.118.0.0
WebPros cPanel 11.110.0.0
WebPros cPanel 11.110.0.0
WebPros cPanel 11.102.0.0
WebPros cPanel 11.94.0.0
WebPros cPanel 11.86.0.0
WebPros cPanel (CentOS 6, CloudLinux 6) 11.110.0.0
WebPros WP Squared 11.136.1.0

CWE Classification

CWE-61

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor WebPros
Product cPanel
Version 11.136.0.0, 11.134.0.0, 11.132.0.0, 11.130.0.0, 11.126.0.0, 11.124.0.0, 11.118.0.0, 11.110.0.0, 11.102.0.0, 11.94.0.0, 11.86.0.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.