CVE-2026-48172

What is CVE-2026-48172?

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

CISA Known Exploited Vulnerability

LiteSpeed cPanel Plugin Privilege Escalation Vulnerability

Affected product

LiteSpeed CPanel Plugin

NVD also lists CPE entries for: Litespeedtech Litespeed Cpanel Plugin, Litespeedtech Litespeed Whm Plugin

References

• https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/
• https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel
• https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log
• https://nvd.nist.gov/vuln/detail/CVE-2026-48172
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Coverage on defend.network

• Vulnerability Priority Report – Week 2 of June 2026 (June 8 – 14)
• Vulnerability Priority Report – Week 1 of June 2026 (June 1 – 7)
• Vulnerability Priority Report – Week 22 of May 2026 (May 25 – 31)
• GitHub npm supply chain attacks, LiteSpeed RCE, CISA credentials exposed (2026-05-25)
• GitHub, npm, and Drupal under attack: supply-chain threats and active CVE exploitation (2026-05-24)