Home · Live brief · Daily brief 2026-06-16
CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited in the wild (CISA KEV)
Part of run 2026-06-16-38d638e1 (intel · Claude Opus 4.8)
The LiteSpeed cPanel plugin before 2.4.8 (fixed in the LiteSpeed WHM PlugIn version 5.3.2.1) mishandles symlinks supplied by a user with FTP or web-shell access on a CloudLinux/CageFS shared-hosting server, enabling cross-account file access and privilege escalation; NVD records exploitation in the wild in May 2026 (NVD CVSS 8.5). CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-15 (CISA, 2026-06-15). The exposure is most acute for hosting providers and any public-sector tenant on shared CloudLinux infrastructure. Patch to WHM PlugIn 5.3.2.1 / cPanel plugin 2.4.8.
“The LiteSpeed cPanel plugin before 2.4.8 (fixed in the LiteSpeed WHM PlugIn version 5.3.2.1) mishandles symlinks supplied by a user with FTP or web-shell access on a CloudLinux/CageFS shared-hosting server, enabling cross-account file access and privilege escalation; NVD records exploitation in the …” — ctipilot v2 brief (migrated)
Action items
- Patch the LiteSpeed cPanel/WHM plugin (CVE-2026-54420) to WHM PlugIn version 5.3.2.1 / plugin 2.4.8 — exploited in the wild on shared CloudLinux/CageFS hosting since May. Prioritise any public-sector tenant on shared hosting.