Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
AnalysisAI
Privilege escalation in cPanel and WP Squared allows an authenticated team member account to elevate privileges to the team owner, granting full control over the hosting account. The flaw stems from improper authorization checks within the team-member privilege model and carries a CVSS 7.1 (high integrity impact). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already hold valid credentials for a cPanel/WP Squared Team Manager sub-user account on the target server (PR:L), so the deployment must have the Team Manager feature in use with at least one delegated team-member account - single-owner cPanel accounts with no team members are not exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) indicates a network-reachable, low-complexity attack requiring only low-level authenticated access and no user interaction, with high integrity impact - consistent with a privilege-escalation primitive rather than a remote takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A reseller, contractor, or junior staffer who has been granted a low-privilege Team Manager sub-account in cPanel sends a crafted authenticated request to a team-privilege endpoint that fails to validate that the caller is not attempting to act as the team owner. The authorization check evaluates the wrong subject, the request succeeds, and the team member gains owner-equivalent control of the hosting account - enabling them to read all hosted site data, modify other team members, or deploy malicious content. … |
| Remediation | Apply the vendor-released patch for your release tier as published in the cPanel May 13, 2026 security update (https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026): upgrade to cPanel 11.136.0.10, 11.134.0.26, 11.132.0.32, 11.130.0.23, 11.126.0.59, 11.124.0.38, 11.118.0.67, 11.110.0.119 (or 11.110.0.118 for the CloudLinux 6 / CentOS 6 build), or WP Squared 11.136.1.12 - most cPanel installations on the STABLE/RELEASE tiers will pick this up via the normal upcp auto-update process. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all cPanel and WP Squared systems and prioritize critical production instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary f
SQL injection in the cPanel/WHM sqloptimizer utility script allows attackers to execute arbitrary SQL queries as the MyS
Denial of service in the Cpanel::JSON::XS Perl module before version 4.41 allows remote attackers to crash any caller th
Type confusion in Cpanel::JSON::XS (Perl) versions before 4.41 allows remote attackers to crash a decoder by submitting
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30205
GHSA-cg6m-ghv2-fh4r