CVE-2026-54420

CVSS 8.5 HIGHEPSS 1.3%● KEVCWE-61

In short

The LiteSpeed cPanel plugin before version 2.4.8 fails to properly handle symbolic links (symlinks), allowing users with FTP or web shell access on shared hosting servers to access files they shouldn't be able to reach. This is a serious risk on multi-user hosting environments running CloudLinux/CageFS.

Technical detail

CWE-61 (Improper Handling of Symbolic Links) in LiteSpeed cPanel plugin <2.4.8 permits privilege escalation or unauthorized file access through symlink manipulation by authenticated users (FTP/web shell) on shared hosting with CloudLinux/CageFS. Pre-condition: attacker must have FTP or web shell credentials on the hosted server. Impact includes potential information disclosure or lateral movement between isolated user environments.

Summary generated and translated by AI from the official description.

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

LiteSpeed Technologies · cPanel Plugin

public PoCs found — 4

githubgithub.com/HORKimhab/CVE-2026-54420★ 1 githubgithub.com/Resellnom/litespeed-cpanel-cve-2026-54420-fix★ 0 githubgithub.com/mahfuzreham/litespeed-cpanel-cve-2026-54420-fix★ 0 githubgithub.com/fevar54/CVE-2026-54420-LiteSpeed-Symlink-Exploit★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-54420 https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel