CVE-2026-29201: cPanel & WHM

What is CVE-2026-29201?

Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.

CVSS8.6 NVD 3.1

SeverityHIGH

ExploitationNo exploitation reported

Triage statusNo Known Exploit

ActionPatch this week

CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

NVD published2026-05-08

NVD last modified2026-05-13

Affected product

cPanel & WHM

Remediation Steps

Download latest cPanel/WHM security updates from vendor
Test patches on non-production hosting environments
Deploy patches during maintenance window with communication to users
Verify file permissions and feature loading mechanisms post-update
Monitor error logs for any compatibility issues with custom configurations

References

Coverage on defend.network

Vulnerability Priority Report – Week 2 of May 2026 (May 11 – 17)
Canvas ransomware hits universities; Ollama zero-day on 300k servers (2026-05-11)
Canvas extortion attack; JDownloader, Hugging Face & Trellix hit (2026-05-10)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.

What is CVE-2026-29201?

Affected product

Remediation Steps

References

Coverage on defend.network

Get Critical CVE Alerts