Known Vulnerabilities for products from Cpanel
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Cpanel".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-41940 json | Not Provided | 2026-04-29 | 2026-04-30 | |
| CVE-2025-22690 json | Not Provided | 2025-02-03 | 2026-04-23 | |
| CVE-2023-29489 json | An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, a... | 6.1 - MEDIUM | 2023-04-27 | 2023-05-05 |
| CVE-2021-38590 json | In cPanel before 96.0.8, weak permissions on web stats can lead to information disclosure (SEC-584). | 5.5 - MEDIUM | 2021-08-11 | 2022-05-03 |
| CVE-2021-38589 json | In cPanel before 96.0.13, scripts/fix-cpanel-perl does not properly restrict the overwriting of files (SEC-588). | 8.1 - HIGH | 2021-08-11 | 2021-08-20 |
| CVE-2021-38588 json | In cPanel before 96.0.13, fix_cpanel_perl lacks verification of the integrity of downloads (SEC-587). | 8.1 - HIGH | 2021-08-11 | 2021-08-20 |
| CVE-2021-38587 json | In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586). | 7.5 - HIGH | 2021-08-11 | 2022-07-12 |
| CVE-2021-38586 json | In cPanel before 98.0.1, /scripts/cpan_config performs unsafe operations on files (SEC-589). | 4.4 - MEDIUM | 2021-08-11 | 2021-08-20 |
| CVE-2021-38585 json | The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585). | 7.2 - HIGH | 2021-08-11 | 2021-08-20 |
| CVE-2021-38584 json | The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585). | 7.2 - HIGH | 2021-08-11 | 2021-08-20 |
| CVE-2021-31803 json | cPanel before 94.0.3 allows self-XSS via EasyApache 4 Save Profile (SEC-581). | 6.1 - MEDIUM | 2021-04-26 | 2021-05-06 |
| CVE-2021-26267 json | cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579). | 7.5 - HIGH | 2021-01-26 | 2023-08-08 |
| CVE-2021-26266 json | cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578). | 7.5 - HIGH | 2021-01-26 | 2021-02-03 |
| CVE-2020-29137 json | cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577). | 6.1 - MEDIUM | 2020-11-27 | 2020-12-01 |
| CVE-2020-29136 json | In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575). | 6.5 - MEDIUM | 2020-11-27 | 2022-04-26 |
| CVE-2020-29135 json | cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567). | 4.1 - MEDIUM | 2020-11-27 | 2021-07-21 |
| CVE-2020-26115 json | cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574). | 6.1 - MEDIUM | 2020-09-25 | 2020-09-25 |
| CVE-2020-26114 json | cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573). | 6.1 - MEDIUM | 2020-09-25 | 2020-09-25 |
| CVE-2020-26113 json | cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569). | 6.1 - MEDIUM | 2020-09-25 | 2020-09-29 |
| CVE-2020-26112 json | The email quota cache in cPanel before 90.0.10 allows overwriting of files. | 7.5 - HIGH | 2020-09-25 | 2020-09-29 |
Known software with vulnerabilities from Cpanel
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Cpanel | Cpanel | 11.34.0 |
| Application | Cpanel | Webhost Manager | 11.34.0 |
| Application | Cpanel | Whm | 11.34.0 |