Apply cPanel/WHM second-TSR patches now — embargo lifted, post-auth RCE is real

cPanel/WHM hosts that recovered from the CVE-2026-41940 wave should immediately apply the patched versions 11.136.0.9+ / 11.134.0.25+ / 11.132.0.31+ (The Hacker News, 2026-05-09 · Panelica technical analysis, 2026-05-08). CVE-2026-29202 (post-auth Perl RCE in create_user, CVSS 8.8) is the priority item; CVE-2026-29203 (CVSS 8.8 chmod abuse) and CVE-2026-29201 (CVSS 4.3 file disclosure) ship in the same update. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.