Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper sanitization of the status query parameter of the /unprotected/nova_error endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
AnalysisAI
HTTP response header injection in cPanel, WHM, and WP Squared allows unauthenticated remote attackers to inject arbitrary headers via the unsanitized status query parameter of the /unprotected/nova_error endpoint. CVSS 8.3 reflects the changed scope (S:C) with low impact across confidentiality, integrity, and availability, consistent with CRLF-style header injection that can pivot into cache poisoning, session fixation, or open redirect chains. No public exploit identified at time of analysis, and EPSS is low at 0.07%, but a vendor patch is already available.
Technical ContextAI
The affected component is cPanel/WHM (and the WP Squared variant), a widely deployed web-hosting control panel suite. The vulnerability lies in the /unprotected/nova_error endpoint, which echoes the status query parameter back into the HTTP response without sanitizing CR/LF characters - the canonical pattern behind CWE-93 (Improper Control of a Generation of Code, a.k.a. CRLF Injection). Because the endpoint sits under /unprotected/, it is reachable pre-authentication, and any injected \r\n sequence terminates the current header and lets the attacker prepend new headers or split the response body.
RemediationAI
Apply the cPanel/WHM/WP2 Security Update dated May 13, 2026 (see https://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026) by upgrading to at least 11.132.0.32 on the 11.132 branch, 11.134.0.26 on the 11.134 branch, 11.136.0.10 on the 11.136 branch, or 11.136.1.12 for WP Squared. If patching must be deferred, restrict access to the /unprotected/nova_error path at the front-end reverse proxy or WAF by dropping requests whose status parameter contains CR/LF (%0d, %0a) or by blocking the endpoint outright - note that blocking the endpoint may suppress legitimate error pages and degrade the user-facing error UX, so prefer the parameter-level filter where available.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30181
GHSA-gc4w-fjw4-fm3h