ctipilot.ch

LiteSpeed cPanel/WHM plugin symlink-following on shared hosting (CVE-2026-54420); exploited ITW; CISA KEV

cve · CVE-2026-54420

Coverage timeline
1
first 2026-06-16 → last 2026-06-16
Briefs
1
1 distinct
Sources cited
7
6 hosts
Sections touched
1
trending_vulns
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-06-16CTI Daily Brief — 2026-06-16
    trending_vulnsFirst coverage; KEV 2026-06-15; ITW since May; patch WHM 5.3.2.0.

Where this entity is cited

  • trending_vulns1

Source distribution

  • blog.litespeedtech.com2 (29%)
  • cisa.gov1 (14%)
  • github.com1 (14%)
  • nvd.nist.gov1 (14%)
  • socket.dev1 (14%)
  • thehackernews.com1 (14%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (7)

Items in briefs about LiteSpeed cPanel/WHM plugin symlink-following on shared hosting (CVE-2026-54420); exploited ITW; CISA KEV (1)

CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited in the wild (CISA KEV)

From CTI Daily Brief — 2026-06-16 · published 2026-06-16 · view item permalink →

The LiteSpeed cPanel plugin before 2.4.8 (fixed in the LiteSpeed WHM PlugIn version 5.3.2.1) mishandles symlinks supplied by a user with FTP or web-shell access on a CloudLinux/CageFS shared-hosting server, enabling cross-account file access and privilege escalation; NVD records exploitation in the wild in May 2026 (NVD CVSS 8.5). CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-15 (CISA, 2026-06-15). The exposure is most acute for hosting providers and any public-sector tenant on shared CloudLinux infrastructure. Patch to WHM PlugIn 5.3.2.1 / cPanel plugin 2.4.8.