ctipilot.ch

Home · Live brief · Weekly 2026-W21

CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root, actively exploited

notable vulnerability discovered 2026-05-18 05:00 UTC

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

CVE-2026-48172 (CWE-266 incorrect privilege assignment, CVSS 10.0) in the LiteSpeed User-End cPanel plugin versions 2.3–2.4.4 lets an authenticated cPanel user escalate to root via the lsws.redisAble path, and is actively exploited. Shared-hosting and managed-WordPress estates running cPanel + LiteSpeed are the exposed population — a single low-privilege hosting account becomes root on the node. Patch to the vendor-recommended build (LiteSpeed advises 2.4.7 / WHM plugin 5.3.1.0) immediately and audit for unexpected root-level cron or service modifications on affected nodes.

“CVE-2026-48172 (CWE-266 incorrect privilege assignment, CVSS 10.0) in the LiteSpeed User-End cPanel plugin versions 2.3–2.4.4 lets an authenticated cPanel user escalate to root via the lsws.redisAble path, and is actively exploited.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited priv-esc patch-available global CVE-2026-48172