ctipilot.ch

LiteSpeed User-End cPanel plugin lsws.redisAble priv-esc to root (CVSS 10.0, ITW)

cve · CVE-2026-48172

Coverage timeline
2
first 2026-05-18 → last 2026-05-31
Entries
2
2 distinct days
Sources cited
3
3 hosts
Sections touched
2
trending-vulnerabilities, weekly-vuln-rollup
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-24CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root via lsws.redisAble, actively exploited
    trending-vulnerabilitiesCVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root via lsws.redisAble, actively exploited
  2. 2026-05-18CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root, actively exploited
    weekly-vuln-rollupCVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root, actively exploited

Where this entity is cited

  • weekly-vuln-rollup1
  • trending-vulnerabilities1

Source distribution

  • blog.litespeedtech.com1 (33%)
  • github.com1 (33%)
  • thehackernews.com1 (33%)

Entries about LiteSpeed User-End cPanel plugin lsws.redisAble priv-esc to root (CVSS 10.0, ITW) (2)

2026-05-24 · view entry permalink →

HIGHCVE-2026-48172exploited

CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root via lsws.redisAble, actively exploited

CVE-2026-48172 is an incorrect-privilege-assignment flaw (CWE-266) scored CVSS 4.0 = 10.0 in the LiteSpeed User-End cPanel plugin, versions 2.3 through 2.4.4. The defect sits in the lsws.redisAble function of the plugin's JSON-API endpoint — the handler that toggles Redis support — which is exposed by default to every logged-in cPanel user. A single API call with crafted parameter values executes arbitrary scripts as root; there is no race to win and no administrator (WHM) access required, so any low-privilege tenant or compromised hosting account escalates to full server root (GitHub Advisory GHSA-fxrh-cwjh-m33v, 2026-05-21). LiteSpeed confirms the vulnerability "is being actively exploited" across all 2.3–2.4.4 versions; cPanel auto-removed the vulnerable plugin during its 2026-05-19 nightly update, and the vendor shipped fixes in plugin v2.4.6 (initial) and v2.4.7 / WHM plugin v5.3.1.0 (full review) (LiteSpeed, 2026-05-21). The LiteSpeed WHM plugin is not affected.

On multi-tenant shared hosting — the dominant model for EU/CH SME and small public-sector web presences — root on the box exposes every co-tenant's TLS private keys, web-app source, database credentials and mail spool. Hunt cPanel access logs for the string cpanel_jsonapi_func=redisAble; any occurrence from a non-administrative account is the vendor-described exploitation artefact. Map to ATT&CK T1068 (Exploitation for Privilege Escalation). Hardening: upgrade to plugin v2.4.7 / WHM v5.3.1.0 immediately, or disable the LiteSpeed cPanel plugin until patched.

CVE-2026-48172 is an incorrect-privilege-assignment flaw (CWE-266) scored CVSS 4.0 = 10.0 in the LiteSpeed User-End cPanel plugin, versions 2.3 through 2.4.4.

ctipilot v2 brief (migrated)
vulnerability24 May 05:00Zmulti-sourceOpen finding ↗

2026-05-18 · view entry permalink →

NOTABLECVE-2026-48172exploited

CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root, actively exploited

CVE-2026-48172 (CWE-266 incorrect privilege assignment, CVSS 10.0) in the LiteSpeed User-End cPanel plugin versions 2.3–2.4.4 lets an authenticated cPanel user escalate to root via the lsws.redisAble path, and is actively exploited. Shared-hosting and managed-WordPress estates running cPanel + LiteSpeed are the exposed population — a single low-privilege hosting account becomes root on the node. Patch to the vendor-recommended build (LiteSpeed advises 2.4.7 / WHM plugin 5.3.1.0) immediately and audit for unexpected root-level cron or service modifications on affected nodes.

CVE-2026-48172 (CWE-266 incorrect privilege assignment, CVSS 10.0) in the LiteSpeed User-End cPanel plugin versions 2.3–2.4.4 lets an authenticated cPanel user escalate to root via the lsws.redisAble path, and is actively exploited.

ctipilot v2 brief (migrated)
vulnerability18 May 05:00Zmulti-sourceOpen finding ↗