[Important] cPanel & WHM Security Update CVE-2026-29201, CVE-2026-29202, CVE-2026-29203 Patch Arriving May 08, 12:00pm EST

Tweet

Dear Customers,

We are reaching out to inform you of a critical security vulnerability newly identified in cPanel & WHM. To ensure your server remains protected against unauthorized access, we need you to take immediate action today.

To help protect customers prior to patch availability, technical details about vulnerabilities will be released alongside the patches. Full technical details will be published on cPanel support page at the same time the patch is released. The CVE IDs are CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. 

Patch & Affected Versions 

The patch will be available on May 08 at 12:00pm EST and will be distributed through the standard cPanel automatic update process and through the manual update process. We strongly recommend performing a manual update with /scripts/upcp once the patch is made available.

Patched versions:

If you are running an unsupported version of cPanel & WHM not listed above, please update to the latest version using /scripts/upcp

Prepare Now

• Identify affected servers.  Review your servers on the affected version branches above. 
• Check the update configuration.  For servers where automatic updates are disabled or version-pinned, review /etc/cpupdate.conf now, so there are no delays when the patch lands. 
• Brief your team.  If your environment requires a maintenance window, notify the relevant people so they are ready to act. 
• Manual update. If your team wishes to update impacted servers before an automatic update is triggered, run /scripts/upcp once the patch is made available. 
• Note for CloudLinux 6 users: Before manually updating, set the update tier to the cl6110 branch by running sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf 

Kind regards,
SLH Support Team