By Sarah Chen
Published · Updated
Hot radar note: On May 8, 2026 cPanel released a second emergency security advisory, this time for three new vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) arriving only ten days after CVE-2026-41940 was used to deploy Sorry ransomware on about 44,000 servers. This is an active, rolling incident, not a one-off bug.
What happened
On May 8, 2026, cPanel published a coordinated advisory covering three new CVEs across cPanel, WHM, and the WP Squared (WP2) line. The Hacker News and independent hosting providers have confirmed the fixed builds: 11.136.0.9 and higher, and 11.134.0.25 and higher, with matching patches down through 11.86.
The most serious two flaws carry a CVSS score of 8.8. One enables code execution, and another opens the door to privilege escalation. CVE-2026-29203 specifically involves unsafe symlink handling in chmod: a local user can modify access permissions on arbitrary files, leading to denial-of-service or privilege escalation inside a shared hosting environment.
These are distinct from the earlier CVE-2026-41940 authentication bypass that fueled the Sorry ransomware campaign, but the pattern is clear: cPanel is in the crosshairs, and ransomware crews are watching patch notes as closely as hosting providers are.
Why this matters for site owners
cPanel underpins a large share of the shared hosting market used by small businesses, bloggers, ecommerce stores, affiliate sites, agencies, and independent publishers. When a control panel vulnerability is announced, attackers can move faster than hosting customers can patch. The Sorry ransomware campaign showed mass scanning starts within days, not weeks.
For anyone running a site on cPanel or WHM:
- Verify your current build with
/usr/local/cpanel/cpanel -Vor the WHM homepage. - Trigger an update with
/scripts/upcpif your host has not already rolled the patch. - Confirm your build is at least 11.136.0.9 or 11.134.0.25 or the equivalent for your tier.
- Rotate WHM, cPanel, FTP, SSH, database, and email passwords after the patch.
- Review recent logins, new admin users, cron jobs, suspicious PHP files, and unexpected
.htaccessredirects.
Shared hosting customers on managed plans should ask their provider for a written confirmation of the patched build and an indicator-of-compromise review.
Why this matters for consumers
Most people do not touch cPanel directly, but they can be affected when a small site they shop at, read, or log into gets compromised. A hijacked site can turn into a phishing host, a fake checkout skimmer, or a malware redirect. When the underlying host is unpatched, those outcomes scale.
If a site you recently used announces a security incident, change the password you used there first, watch payment-card activity, and stay alert for follow-up phishing. Attackers often weaponize breach context in emails: "your account at X was affected, click here to verify."
- Never reuse passwords across shops, banks, email, and cloud accounts.
- Use a password manager to generate unique credentials for every site.
- Enable multi-factor authentication on email first, because email resets everything else.
- If SSN, tax, healthcare, or payment data may be involved, add identity monitoring.
Immediate response checklist
For website owners and agencies, the response order matters. Patching first is not optional, but restoring from backup too quickly can reintroduce a backdoor.
- Confirm the patched cPanel/WHM build is installed and reboot if required.
- Restrict cPanel and WHM access by IP allowlist or VPN-only access.
- Disable stale FTP accounts, email accounts, and unused database users.
- Move backups off-server so ransomware cannot encrypt the only recovery copy.
- Run a server-side malware scan and a separate endpoint scan on admin workstations.
- Only restore clean backups after confirming the entry point is closed.
If you discover evidence of compromise, treat it as an incident: isolate the server, preserve logs, and engage professional incident response rather than restoring blindly.
How security tools fit into the defense
No consumer security product patches cPanel. But layered protection still matters. Modern antivirus suites can block ransomware behavior on admin laptops and catch phishing attempts that try to steal hosting credentials. Password managers enforce unique, long passwords and make credential rotation after a breach realistic. Identity monitoring helps if personal data stored on a compromised small-business site leaks into criminal marketplaces.
For agencies and freelancers, a business VPN or zero-trust access gateway makes cPanel and WHM reachable only after device verification, rather than leaving the control panel exposed to the whole internet.
Best tools to reduce your risk
Bitdefender Total Security 4.8/5
Best for: ransomware and exploit prevention · Price: From about $39.99/year promo pricing
- Strong behavior-based ransomware blocking
- Web attack prevention and phishing protection
- Light performance footprint for most devices
- VPN allowance is limited on lower plans
- Renewal pricing can rise after the first year
Norton 360 Deluxe 4.7/5
Best for: families that want antivirus plus identity features · Price: From about $49.99/year promo pricing
- Real-time malware protection plus cloud backup
- Dark web monitoring in many plans
- Good parental and device coverage
- Upsells can feel busy
- Full identity protection costs more
Malwarebytes Premium 4.5/5
Best for: second-opinion malware cleanup on admin machines · Price: From about $44.99/year
- Excellent remediation reputation
- Simple interface for non-technical users
- Browser Guard helps block malicious sites
- Fewer extras than full security suites
- Advanced family identity features are limited
1Password 4.8/5
Best for: unique passwords, MFA, and passkeys for hosting accounts · Price: From $2.99/month billed annually
- Strong vault security and Watchtower alerts
- Excellent passkey and family sharing support
- Travel Mode helps reduce border-device risk
- No permanent free tier
- Some advanced controls require business plans
Aura 4.6/5
Best for: identity monitoring after breach exposure · Price: From about $12/month billed annually
- Dark web, credit, and SSN monitoring
- Identity restoration support
- Bundles VPN and antivirus features
- More expensive than standalone antivirus
- Credit lock coverage varies by bureau and plan
Comparison table
| Product | Rating | Best for | Price | Key strengths |
|---|---|---|---|---|
| Bitdefender Total Security | 4.8/5 | ransomware and exploit prevention | From about $39.99/year promo pricing | Behavior-based ransomware blocking, phishing protection |
| Norton 360 Deluxe | 4.7/5 | families that want antivirus plus identity features | From about $49.99/year promo pricing | Real-time malware protection plus cloud backup, dark web monitoring |
| Malwarebytes Premium | 4.5/5 | second-opinion malware cleanup | From about $44.99/year | Strong remediation reputation, Browser Guard |
| 1Password | 4.8/5 | unique passwords and passkey adoption | From $2.99/month billed annually | Watchtower alerts, passkey and family sharing support |
| Aura | 4.6/5 | identity monitoring after breach exposure | From about $12/month billed annually | Dark web, credit, SSN monitoring, identity restoration |
Frequently asked questions
What are the three new cPanel CVEs patched on May 8, 2026?
CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. Two carry a CVSS score of 8.8 and can lead to code execution or privilege escalation. CVE-2026-29203 involves unsafe symlink handling via chmod, enabling denial-of-service or privilege escalation.
Which cPanel versions are patched?
cPanel & WHM 11.136.0.9 and higher, and 11.134.0.25 and higher. Older supported tiers from 11.86 through 11.136, including the WP Squared (11.136 WP2) line, also received matching patched builds.
Is this related to the Sorry ransomware attacks?
It is a follow-up security release from cPanel ten days after CVE-2026-41940 was mass-exploited to deploy Sorry ransomware on roughly 44,000 servers. These three new CVEs are separate flaws, but the timing shows cPanel is under sustained attacker attention.
How do I know if my server is patched?
Log into WHM or run /usr/local/cpanel/cpanel -V from the command line to see the exact build. Compare it to the patched versions listed by cPanel. You can also run /scripts/upcp to force an update.
Do I need antivirus if my cPanel server is patched?
Server-side patching is the first layer. Endpoint antivirus on admin machines, site malware scanning, and a password manager still matter because attackers often pivot through stolen admin credentials, not only through unpatched bugs.
Bottom line
Two emergency cPanel patches in ten days is not a coincidence; it is a market signal. Hosting control panels are now a priority target for ransomware operators. If you run a site on cPanel, verify the patch, rotate credentials, lock down access, and keep off-server backups. If you are a consumer, assume some sites you use will be hit, and protect the accounts and identity data that sit behind them with unique passwords, MFA, and monitoring.