CVE-2026-54420

CVE	CVE-2026-54420
State	PUBLISHED
Assigner	mitre
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-14 04:16:28 UTC
Updated	2026-06-14 04:16:28 UTC
Description	LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

Primary CVSS: v3.1 8.5 HIGH from [email protected]

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem Types: CWE-61 | CWE-61 CWE-61 UNIX Symbolic Link (Symlink) Following

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Secondary	8.5	HIGH	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H`
3.1	CNA	CVSS	8.5	HIGH	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H`

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	LiteSpeed Technologies	CPanel Plugin	affected 2.3 2.4.8 custom	Linux

Reference	Source	Link	Tags
www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel	[email protected]	www.litespeedtech.com
blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2	[email protected]	blog.litespeedtech.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

CNA: Upgrade to the LiteSpeed WHM PlugIn v5.3.2.0 or higher (which includes the cPanel PlugIn v2.4.8).

CNA: Disable the cPanel PlugIn for LiteSpeed

There are currently no legacy QID mappings associated with this CVE.