cPanel released a coordinated security update today, May 8, 2026, addressing three separate vulnerabilities in cPanel & WHM. We received advance notice of the patch yesterday evening, monitored for its release at noon EDT, and applied it across our fleet as soon as it became available.
This post summarizes what cPanel disclosed, when the patch actually landed, and what we did about it.
What cPanel Disclosed in Advance
On the evening of May 7, cPanel sent affected partners an early-warning email letting us know a security update was coming the following day at 12:00 PM EDT. The advance notice covered three CVEs being patched together: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203.
The notice specified the minimum patched build for every supported tier from 11.86 through 11.136, including the WP Squared (11.136 WP2) line. cPanel recommended performing a manual update via /scripts/upcp once the patch was made available, rather than waiting for the standard automatic update window.
Full technical details were embargoed until the patch itself was released.
Continue reading “cPanel & WHM Security Update: CVE-2026-29201, 29202, and 29203 Patched”