CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited in the wild (CISA KEV)

The LiteSpeed cPanel plugin before 2.4.8 (fixed in the LiteSpeed WHM PlugIn version 5.3.2.1) mishandles symlinks supplied by a user with FTP or web-shell access on a CloudLinux/CageFS shared-hosting server, enabling cross-account file access and privilege escalation; NVD records exploitation in the wild in May 2026 (NVD CVSS 8.5). CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-15 (CISA, 2026-06-15). The exposure is most acute for hosting providers and any public-sector tenant on shared CloudLinux infrastructure. Patch to WHM PlugIn 5.3.2.1 / cPanel plugin 2.4.8.