ctipilot.ch

Home · Live brief · Weekly 2026-W26

CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited (CISA KEV)

notable vulnerability discovered 2026-06-22 00:14 UTC

Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)

The LiteSpeed cPanel plugin before 2.4.8 mishandles user-supplied symlinks on CloudLinux/CageFS shared hosting, letting a user with FTP or web-shell access escalate; it is exploited in the wild and KEV-listed (LiteSpeed; daily 06-16). Relevant to any public-sector or education entity running shared cPanel hosting. Update to the LiteSpeed WHM PlugIn version 5.3.2.1.

“The LiteSpeed cPanel plugin before 2.4.8 mishandles user-supplied symlinks on CloudLinux/CageFS shared hosting, letting a user with FTP or web-shell access escalate; it is exploited in the wild and KEV-listed (LiteSpeed; daily 06-16).” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited priv-esc cisa-kev global CVE-2026-54420