cPanel & WHM Security: CVE-2026-29201 - cPanel & WHM / WP2 Security Update - May 09, 2026

Cause

An arbitrary file read found was found in the feature::LOADFEATUREFILE adminbin call where it does not adequately validate the feature file name. A relative path may be passed as the argument to this call, causing an arbitrary file to be made world-readable.

Resolution

We have pushed out a patch in the following cPanel & WHM versions:

11.136.0.9 and higher
11.134.0.25 and higher
11.132.0.31 and higher
11.130.0.22 and higher
11.126.0.58 and higher
11.124.0.37 and higher
11.118.0.66 and higher
11.110.0.116 and higher
11.110.0.117 and higher
11.102.0.41 and higher
11.94.0.30 and higher
11.86.0.43 and higher

We have pushed out a patch in the following WP Squared version:

11.136.1.10 and higher

For customers still on CentOS 6 or CloudLinux 6, we have also released v110.0.114 as a direct update. To upgrade to this version, run the following command to set the upgrade tier, and then follow the steps in the "Required Actions" below.

sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf

Note: All further versions of cPanel are patched for this issue as well. Please see the latest changelogs for version information of each cPanel branch:
https://docs.cpanel.net/changelogs/

Required Actions

Update the cPanel version on the server to one of the versions listed above. This can be done with the following:

/scripts/upcp --force
Once completed, verify the cPanel version with the following to ensure the update was successful.

/usr/local/cpanel/cpanel -V