CVE Details
CVE-2026-54420
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
Published: 2026-06-15
CVSS: 8.5 HIGH
Product: LiteSpeed cPanel Plugin
Due Date: 2026-06-18
LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.
GitHub PoC
Warning: GitHub PoC repositories are unverified. Some may be fake
or contain malware. Use caution and review code before running anything.
No GitHub PoC data.
FIRST EPSS
EPSS estimates the probability of exploitation in the next 30 days. Higher values indicate higher likelihood of real-world exploitation.
Timeline
CVE Stalker
KEV
MITRE
GitHub
FIRST (EPSS)
MITRE
CVSS
SSVC
References
Show Raw Data
| Key | Remaining Key | Value |
|---|---|---|
| dataType | CVE_RECORD | |
| dataVersion | 5.2 | |
| cveMetadata > | cveId | CVE-2026-54420 |
| cveMetadata > | assignerOrgId | 8254265b-2729-46b6-b9e3-3dfca2d5bfca |
| cveMetadata > | state | PUBLISHED |
| cveMetadata > | assignerShortName | mitre |
| cveMetadata > | dateReserved | 2026-06-14T03:23:12.439Z |
| cveMetadata > | datePublished | 2026-06-14T03:23:12.863Z |
| cveMetadata > | dateUpdated | 2026-06-15T19:58:23.846Z |
| containers > | cna > affected > 0 > defaultStatus | unaffected |
| containers > | cna > affected > 0 > packageName | WHM and cPanel PlugIn |
| containers > | cna > affected > 0 > platforms > 0 | Linux |
| containers > | cna > affected > 0 > product | cPanel Plugin |
| containers > | cna > affected > 0 > vendor | LiteSpeed Technologies |
| containers > | cna > affected > 0 > versions > 0 > lessThan | 2.4.8 |
| containers > | cna > affected > 0 > versions > 0 > status | affected |
| containers > | cna > affected > 0 > versions > 0 > version | 2.3 |
| containers > | cna > affected > 0 > versions > 0 > versionType | custom |
| containers > | cna > descriptions > 0 > lang | en |
| containers > | cna > descriptions > 0 > value | LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026. |
| containers > | cna > metrics > 0 > cvssV3_1 > attackComplexity | HIGH |
| containers > | cna > metrics > 0 > cvssV3_1 > attackVector | NETWORK |
| containers > | cna > metrics > 0 > cvssV3_1 > availabilityImpact | HIGH |
| containers > | cna > metrics > 0 > cvssV3_1 > baseScore | 8.5 |
| containers > | cna > metrics > 0 > cvssV3_1 > baseSeverity | HIGH |
| containers > | cna > metrics > 0 > cvssV3_1 > confidentialityImpact | HIGH |
| containers > | cna > metrics > 0 > cvssV3_1 > integrityImpact | HIGH |
| containers > | cna > metrics > 0 > cvssV3_1 > privilegesRequired | LOW |
| containers > | cna > metrics > 0 > cvssV3_1 > scope | CHANGED |
| containers > | cna > metrics > 0 > cvssV3_1 > userInteraction | NONE |
| containers > | cna > metrics > 0 > cvssV3_1 > vectorString | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| containers > | cna > metrics > 0 > cvssV3_1 > version | 3.1 |
| containers > | cna > metrics > 0 > format | CVSS |
| containers > | cna > metrics > 0 > scenarios > 0 > lang | en |
| containers > | cna > metrics > 0 > scenarios > 0 > value | GENERAL |
| containers > | cna > problemTypes > 0 > descriptions > 0 > cweId | CWE-61 |
| containers > | cna > problemTypes > 0 > descriptions > 0 > description | CWE-61 UNIX Symbolic Link (Symlink) Following |
| containers > | cna > problemTypes > 0 > descriptions > 0 > lang | en |
| containers > | cna > problemTypes > 0 > descriptions > 0 > type | CWE |
| containers > | cna > providerMetadata > orgId | 8254265b-2729-46b6-b9e3-3dfca2d5bfca |
| containers > | cna > providerMetadata > shortName | mitre |
| containers > | cna > providerMetadata > dateUpdated | 2026-06-14T03:23:12.863Z |
| containers > | cna > references > 0 > url | https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel |
| containers > | cna > references > 1 > url | https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/ |
| containers > | cna > solutions > 0 > lang | en |
| containers > | cna > solutions > 0 > supportingMedia > 0 > base64 | False |
| containers > | cna > solutions > 0 > supportingMedia > 0 > type | text/html |
| containers > | cna > solutions > 0 > supportingMedia > 0 > value | Upgrade to the LiteSpeed WHM PlugIn v5.3.2.0 or higher (which includes the cPanel PlugIn v2.4.8). |
| containers > | cna > solutions > 0 > value | Upgrade to the LiteSpeed WHM PlugIn v5.3.2.0 or higher (which includes the cPanel PlugIn v2.4.8). |
| containers > | cna > tags > 0 | x_known-exploited-vulnerability |
| containers > | cna > workarounds > 0 > lang | en |
| containers > | cna > workarounds > 0 > supportingMedia > 0 > base64 | False |
| containers > | cna > workarounds > 0 > supportingMedia > 0 > type | text/html |
| containers > | cna > workarounds > 0 > supportingMedia > 0 > value | Disable the cPanel PlugIn for LiteSpeed |
| containers > | cna > workarounds > 0 > value | Disable the cPanel PlugIn for LiteSpeed |
| containers > | cna > x_generator > engine | CVE-Request-form 0.0.1 |
| containers > | adp > 0 > references > 0 > url | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-54420 |
| containers > | adp > 0 > references > 0 > tags > 0 | government-resource |
| containers > | adp > 0 > metrics > 0 > other > type | ssvc |
| containers > | adp > 0 > metrics > 0 > other > content > timestamp | 2026-06-15T19:35:22.294103Z |
| containers > | adp > 0 > metrics > 0 > other > content > id | CVE-2026-54420 |
| containers > | adp > 0 > metrics > 0 > other > content > options > 0 > Exploitation | active |
| containers > | adp > 0 > metrics > 0 > other > content > options > 1 > Automatable | no |
| containers > | adp > 0 > metrics > 0 > other > content > options > 2 > Technical Impact | total |
| containers > | adp > 0 > metrics > 0 > other > content > role | CISA Coordinator |
| containers > | adp > 0 > metrics > 0 > other > content > version | 2.0.3 |
| containers > | adp > 0 > metrics > 1 > other > type | kev |
| containers > | adp > 0 > metrics > 1 > other > content > dateAdded | 2026-06-15 |
| containers > | adp > 0 > metrics > 1 > other > content > reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-54420 |
| containers > | adp > 0 > title | CISA ADP Vulnrichment |
| containers > | adp > 0 > providerMetadata > orgId | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| containers > | adp > 0 > providerMetadata > shortName | CISA-ADP |
| containers > | adp > 0 > providerMetadata > dateUpdated | 2026-06-15T19:58:23.846Z |
| containers > | adp > 0 > timeline > 0 > time | 2026-06-15T00:00:00.000Z |
| containers > | adp > 0 > timeline > 0 > lang | en |
| containers > | adp > 0 > timeline > 0 > value | CVE-2026-54420 added to CISA KEV |