Ten days after CVE-2026-41940 ransomware hit 44,000 servers, cPanel issued a second emergency TSR covering three new CVEs, two rated CVSS 8.8.
Key Takeaways
CVE-2026-29202 (CVSS 8.8): arbitrary Perl code execution via create_user API; any authenticated shared-hosting tenant can exploit it.
CVE-2026-29203 (CVSS 8.8): unsafe symlink + chmod allows privilege escalation; chainable with CVE-2026-29202 for deeper access.
CVE-2026-29201 (CVSS 4.3): arbitrary file read via feature::LOADFEATUREFILE; lower severity but useful for staging follow-on attacks.
The original zero-day CVE-2026-41940 was exploited for ~2 months before the April 28 patch; servers unpatched during that window should be treated as compromised.
Forensic check: scan for .sorry files in home directories and audit /usr/local/cpanel/logs/access_log back to February 23, 2026.
Hacker News Comment Review
Commenters flagged that the core risk is architectural: cPanel shared hosting runs user code with minimal sandboxing, so a low-bar authenticated exploit like CVE-2026-29202 is effectively near-unauthenticated in practice.
Consensus is that cPanel’s codebase is aging and likely harbors more undiscovered issues; the two TSRs in 10 days are seen as the expected output of an audit under pressure, not a reassuring sign of completeness.
Notable Comments
@xp84: most shared-hosting users are not reading security news, so operator-side auto-updates are the only realistic mitigation layer.
