Skip to main content

cPanel WHM CVE-2026-32993

| EUVDEUVD-2026-30181 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-13 support@hackerone.com GHSA-gc4w-fjw4-fm3h
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:56 vuln.today
Patch available
May 13, 2026 - 23:17 EUVD

DescriptionCVE.org

Improper sanitization of the status query parameter of the /unprotected/nova_error endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

AnalysisAI

HTTP response header injection in cPanel, WHM, and WP Squared allows unauthenticated remote attackers to inject arbitrary headers via the unsanitized status query parameter of the /unprotected/nova_error endpoint. CVSS 8.3 reflects the changed scope (S:C) with low impact across confidentiality, integrity, and availability, consistent with CRLF-style header injection that can pivot into cache poisoning, session fixation, or open redirect chains. No public exploit identified at time of analysis, and EPSS is low at 0.07%, but a vendor patch is already available.

Technical ContextAI

The affected component is cPanel/WHM (and the WP Squared variant), a widely deployed web-hosting control panel suite. The vulnerability lies in the /unprotected/nova_error endpoint, which echoes the status query parameter back into the HTTP response without sanitizing CR/LF characters - the canonical pattern behind CWE-93 (Improper Control of a Generation of Code, a.k.a. CRLF Injection). Because the endpoint sits under /unprotected/, it is reachable pre-authentication, and any injected \r\n sequence terminates the current header and lets the attacker prepend new headers or split the response body.

RemediationAI

Apply the cPanel/WHM/WP2 Security Update dated May 13, 2026 (see https://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026) by upgrading to at least 11.132.0.32 on the 11.132 branch, 11.134.0.26 on the 11.134 branch, 11.136.0.10 on the 11.136 branch, or 11.136.1.12 for WP Squared. If patching must be deferred, restrict access to the /unprotected/nova_error path at the front-end reverse proxy or WAF by dropping requests whose status parameter contains CR/LF (%0d, %0a) or by blocking the endpoint outright - note that blocking the endpoint may suppress legitimate error pages and degrade the user-facing error UX, so prefer the parameter-level filter where available.

Share

CVE-2026-32993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy