HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2026-54420

CVSS 8.5v3.1pub. 2026-06-14upd. 2026-06-16

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Litespeedtech Litespeed Cpanel Plugin

    APP
    Litespeedtech
    < 2.4.8
  • Litespeedtech Litespeed Whm Plugin

    APP
    Litespeedtech
    < 5.3.2.0

CISA KEV — detailsi

Vendori
LiteSpeed
Producti
cPanel Plugin
Added to KEVi
June 15, 2026
Remediation deadline (US Federal)i
June 18, 2026(overdue)
Required action (CISA)i

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CISA descriptioni

LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 18 czerwca 2026
CWE
References

Related vulnerabilities

CVE-2026-48172CRITICAL10.0⚠ KEVPL ✓ten sam produkt

LiteSpeed cPanel Plugin — privilege escalation (możliwe root) via Redis

CVE-2024-44000CRITICAL9.8PL ✓ten sam vendor

LiteSpeed Cache – nieuwierzytelnione przejęcie konta przez ujawnione dane logowania

CVE-2024-28000CRITICAL9.8PL ✓ten sam vendor

Privilege escalation bez uwierzytelnienia w LiteSpeed Cache dla WordPress

CVE-2024-25678CRITICAL9.8PL ✓ten sam vendor

Błędna walidacja DCID w bibliotece LiteSpeed QUIC (LSQUIC)

CVE-2022-30592CRITICAL9.8ten sam vendor

liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.