PT-2026-40440

Name of the Vulnerable Software and Affected Versions cPanel & WHM affected versions not specified Description Improper sanitization of the status query parameter in the '/unprotected/nova error' endpoint allows an unauthenticated attacker to inject arbitrary HTTP headers into the response...

PT-2026-38674

Name of the Vulnerable Software and Affected Versions cPanel versions prior to 11.136.0.9 cPanel versions prior to 11.136.1.10 WP Squared cPanel versions prior to 11.134.0.25 cPanel versions prior to 11.132.0.31 cPanel versions prior to 11.130.0.22 cPanel versions prior to 11.126.0.58 cPanel...

Exploit for Missing Authentication for Critical Function in Cpanel

CVE-2026-41940-POC cPanel/WHM Authentication Bypass Proof of...

Exploit for Missing Authentication for Critical Function in Cpanel

CVE-2026-41940 - cPanel & WHM Authentication Bypass Proof of C...

WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

WebPros cPanel & WHM WebHost Manager and WP2 WordPress Squared contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel...

PT-2026-35936

Name of the Vulnerable Software and Affected Versions cPanel and WHM versions prior to 11.86.0.41 cPanel and WHM versions prior to 11.110.0.97 cPanel and WHM versions prior to 11.118.0.63 cPanel and WHM versions prior to 11.124.0.35 cPanel and WHM versions prior to 11.126.0.54 cPanel and WHM...

CVE-2017-18456

cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface SEC-217...

EUVD-2006-6181

Malware in sbrugna...

EUVD-2007-0886

Malware in sbrugna...

EUVD-2012-6301

Malware in sbrugna...

EUVD-2006-6531

Malware in sbrugna...

CVE-2018-20903

cPanel before 71.9980.37 allows self XSS in the WHM Backup Configuration interface SEC-421...

SUSE CVE-2025-43921

GNU Mailman 2.1.39, as bundled in cPanel and WHM, allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used...

CVE-2025-43921

GNU Mailman 2.1.39, as bundled in cPanel and WHM, allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used...

PT-2024-9769 · Directadmin +3 · Directadmin +5

Name of the Vulnerable Software and Affected Versions: Acronis Backup plugin for cPanel & WHM Linux versions before build 818 Acronis Backup extension for Plesk Linux versions before build 599 Acronis Backup plugin for DirectAdmin Linux versions before build 181 Description: The issue is related ...

CVE-2021-38585

The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks SEC-585...

Cross site scripting

Cross-site Scripting XSS in cPanel WebHost Manager WHM 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

CVE-2019-17380

cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface SEC-528...

CVE-2016-10797

cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certificate" page visitors to list all server domains SEC-133...

cPanel Cross-Site Scripting Vulnerability (CNVD-2019-26358)

cPanel is a set of Web-based automated colocation platforms from the American company cPanel. The platform is primarily used to automate the management of websites and servers. A cross-site scripting vulnerability exists in the WHM listips interface in versions prior to cPanel 68.0.27. The...