Home / Vulnerability Intelligence / CVE-2026-29202

CVE-2026-29202 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: May 8, 2026

Unspecified Product - Command Injection

Published: May 8, 2026Updated: May 8, 2026Remote Exploitable

Overview

An unspecified product contains a command injection caused by insufficient input validation of the "plugin" parameter in the create_user plugin, letting authenticated users execute arbitrary Perl code on the system.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated users can execute arbitrary Perl code, potentially leading to full system compromise.

Mitigation

Update to the latest version with input validation fixes.

References

https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-29202
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: new

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H