US Public Data LabU.S. public data, made readable
EN
日本語 English
Critical Known exploited (KEV) CVE-2026-48172

Privilege escalation in the LiteSpeed cPanel plugin (CVE-2026-48172) — any cPanel user gains root

LiteSpeed cPanel Plugin Added to KEV May 26, 2026 Federal remediation due 2026-05-29

The cPanel plugin for the LiteSpeed web server has a privilege-escalation flaw: any cPanel user account can run arbitrary scripts as root. CISA listed it as known-exploited (KEV) (CVSS 9.8 Critical, per NVD).

Key facts

  • CVE IDCVE-2026-48172
  • CVSS base score9.8 CRITICAL
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Affected (vendor / product)LiteSpeed cPanel Plugin
  • CWECWE-266
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-05-29 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • Privilege escalation (CWE-266) in the LiteSpeed cPanel Plugin (LiteSpeed × cPanel integration)
  • Any cPanel user account can execute arbitrary scripts with root privileges
  • In shared hosting, one user's compromise leads directly to whole-server compromise
  • Listed in CISA KEV = exploitation confirmed; CVSS 9.8 Critical, per NVD
  • Response: update the plugin to a safe version and review server logs for signs of escalation

CVE-2026-48172 is a privilege-escalation vulnerability (CWE-266, incorrect privilege assignment) in the LiteSpeed cPanel Plugin — which operates the high-performance LiteSpeed web server from cPanel, a widely used hosting control panel.

Per public information, the flaw is exposed through the user-facing cPanel plugin and lets any cPanel user account execute arbitrary scripts with root privileges. In other words, an ordinary user who should only be able to operate within their own area can seize the server's highest privilege.

This is severe in shared hosting (many users and sites co-located on one server). An attacker only needs to obtain a single cheap account to gain root and reach the data and sites of every other user on the same server, with serious impact across confidentiality, integrity, and availability.

Key response: check LiteSpeed's official information, identify the affected plugin version, and update to a safe version. CISA required federal civilian agencies to remediate by May 29, 2026. Hosting providers and server administrators should, beyond updating the plugin, review server logs for suspicious script execution or signs of privilege escalation.

Why it matters

Broadly affects hosting/shared-hosting providers and the many sites running on them. The ability to seize root from a cheap ordinary account is critical; immediate plugin updates and server-wide compromise checks are the priorities. It underscores the importance of privilege separation in multi-tenant environments.

FAQ

What are cPanel and LiteSpeed?
cPanel is a control panel for managing hosting; LiteSpeed is a high-performance web server. This vulnerability is in the plugin that integrates the two.
What is privilege escalation?
Illicitly gaining higher privileges than granted — here, the server's top-level root. An ordinary user can end up controlling the entire server.
What should I do?
Check LiteSpeed's official information for affected versions and update to a safe version. It is especially high-priority in shared hosting; reviewing server logs is also recommended.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#LiteSpeed#cPanel#Hosting#Privilege escalation#Web server

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.