What is CVE-2026-54420?
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
CISA Known Exploited Vulnerability
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
Affected product
LiteSpeed CPanel Plugin
NVD also lists CPE entries for: Litespeedtech Litespeed Cpanel Plugin, Litespeedtech Litespeed Whm Plugin
Remediation Steps
- Apply the patch for the LiteSpeed cPanel user-end plugin to all cPanel servers
- Test patched plugin functionality in a staging environment before production deployment
- Review server logs for evidence of exploitation attempts
- Notify hosting customers of patch deployment timeline
References
- https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/
- https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-54420
- https://nvd.nist.gov/vuln/detail/CVE-2026-54420
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Coverage on defend.network
- Vulnerability Priority Report – Week 3 of June 2026 (June 15 – 21)
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.