What is the CVSS score of EUVD-2026-36657?

EUVD-2026-36657 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of LiteSpeed cPanel Plugin are affected by EUVD-2026-36657?

The LiteSpeed cPanel Plugin (versions before 2.4.8) and LiteSpeed WHM Plugin (versions before 5.3.2.0) contain a symlink-handling vulnerability allowing low-privileged tenants in shared hosting…. A patch is available.

Is there a public PoC exploit available for EUVD-2026-36657?

Yes, a public proof-of-concept exploit is available for EUVD-2026-36657. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2026-36657?

Within 24 hours: Inventory all systems running affected LiteSpeed versions (cPanel Plugin before 2.4.8; WHM Plugin before 5.3.2.0) and quantify exposure scope. Within 7 days: Establish and validate compensating controls, audit CloudLinux/CageFS filesystem jail configuration, and contact LiteSpeed for patch availability timeline. Within 30 days: Implement interim mitigations, conduct forensic analysis of filesystem access logs for unauthorized symlink activity and cross-tenant file access, and develop upgrade or alternative migration plan pending vendor patch release.

LiteSpeed cPanel Plugin EUVD-2026-36657

| CVE-2026-54420 HIGH

UNIX Symbolic Link (Symlink) Following (CWE-61)

2026-06-14 mitre

GHSA-3g44-c4qc-cxm8

Information Disclosure Cpanel Plugin

8.5

CVSS 3.1 · Vendor: mitre

Severity by source

Vendor (mitre) PRIMARY

8.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

vuln.today AI

7.8 HIGH

Attacker needs an existing tenant account with local filesystem write inside CageFS (PR:L, AV:L), exploitation depends on specific CageFS setup and race timing (AC:H), and symlink escape breaks the cage's security authority (S:C, C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

Jun 15, 2026 - 19:31 CISA

Patch available

Jun 14, 2026 - 05:00 EUVD

Analysis Generated

Jun 14, 2026 - 04:12 vuln.today

CVE Published

Jun 14, 2026 - 03:23 cve.org

HIGH 8.5

DescriptionCVE.org

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

Articles & Coverage 1

POC CVE-2026-54420: CISA-Flagged LiteSpeed cPanel Plugin Vulnerability PoC Released Jun 16, 2026

AnalysisAI

Symlink mishandling in LiteSpeed cPanel Plugin before 2.4.8 (and the bundling LiteSpeed WHM PlugIn before 5.3.2.0) lets a low-privileged tenant on a shared CloudLinux/CageFS host escape their per-user filesystem jail by planting symlinks the plugin follows with elevated privileges. The CVE record states the flaw was exploited against shared hosting providers in May 2026, and CVSS 8.5 with Scope:Changed reflects cross-tenant compromise of other customers' files on the same server. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Acquire or compromise tenant account

Delivery

Upload malicious symlink via FTP or web shell

Exploit

Trigger LiteSpeed cPanel plugin file operation

Execution

Plugin follows symlink outside CageFS

Persist

Read or overwrite other tenants' files

Impact

Escalate to cross-site backdooring and credential theft

Access

Acquire or compromise tenant account

Delivery

Upload malicious symlink via FTP or web shell

Exploit

Trigger LiteSpeed cPanel plugin file operation

Execution

Plugin follows symlink outside CageFS

Persist

Read or overwrite other tenants' files

Impact

Escalate to cross-site backdooring and credential theft

Vulnerability AssessmentAI

Exploitation	Exploitation requires all of: (1) the target server is a shared hosting box running CloudLinux with CageFS enabled, (2) the LiteSpeed cPanel Plugin is installed at a version before 2.4.8 (or LiteSpeed WHM PlugIn before 5.3.2.0), and (3) the attacker already holds write access inside a tenant's CageFS root via FTP credentials or a previously planted web shell. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The reported CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H gives 8.5 High, driven mainly by Scope:Changed and full CIA impact - the right call because cage escape crosses a security authority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker buys a cheap account on a vulnerable shared hosting provider, or compromises an existing customer site via a weak WordPress password, gaining FTP or web-shell write access inside their CageFS. They replace a file the LiteSpeed cPanel plugin is known to read or write during routine cPanel actions with a symlink pointing at another tenant's wp-config.php or at /etc/shadow; when the plugin next touches that path it dereferences the link with its elevated privileges and returns the contents or overwrites the target, giving the attacker cross-tenant data theft and the ability to backdoor neighboring sites. …
Remediation	Vendor-released patch: upgrade the LiteSpeed cPanel Plugin to 2.4.8 or later, which on WHM installations corresponds to LiteSpeed WHM PlugIn 5.3.2.0 or later, per https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/ and the product page at https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running affected LiteSpeed versions (cPanel Plugin before 2.4.8; WHM Plugin before 5.3.2.0) and quantify exposure scope. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-36657 vulnerability details – vuln.today

Back

LiteSpeed cPanel Plugin EUVD-2026-36657

Severity by source

CVSS VectorVendor: mitre

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code