LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HLitespeedtech Litespeed Cpanel Plugin
APPLitespeedtech< 2.4.8Litespeedtech Litespeed Whm Plugin
APPLitespeedtech< 5.3.2.0
CISA KEV — detailsi
- Vendori
- LiteSpeed
- Producti
- cPanel Plugin
- Added to KEVi
- June 15, 2026
- Remediation deadline (US Federal)i
- June 18, 2026(overdue)
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.
Related vulnerabilities
LiteSpeed cPanel Plugin — privilege escalation (możliwe root) via Redis
LiteSpeed Cache – nieuwierzytelnione przejęcie konta przez ujawnione dane logowania
Privilege escalation bez uwierzytelnienia w LiteSpeed Cache dla WordPress
Błędna walidacja DCID w bibliotece LiteSpeed QUIC (LSQUIC)
liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.