CVE-2026-29201
Received Received - Intake
Arbitrary File Read in Adminbin via Feature File Name

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: HackerOne

Description
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-29201
EUVD
EUVD-2026-28810
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
cpanel whm From 11.136.0.9 (inc)
wp_squared wp_squared From 11.136.1.10 (inc)
cpanel whm v110.0.114
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves insufficient input validation in the feature file name parameter of the `feature::LOADFEATUREFILE` adminbin call. Specifically, when a relative file path is provided, it can lead to arbitrary file read, meaning an attacker could potentially read files on the system that they should not have access to.

Impact Analysis

The impact of this vulnerability is that an attacker could exploit it to read arbitrary files on the affected system. This could lead to unauthorized access to sensitive information, potentially exposing confidential data or system files.

Detection Guidance

This vulnerability involves an arbitrary file read via the feature::LOADFEATUREFILE adminbin call when a relative file path is passed. Detection would involve verifying the cPanel version to see if it is vulnerable.

You can check your current cPanel version using the command:

  • /usr/local/cpanel/cpanel -V

If the version is older than 11.136.0.9, your system may be vulnerable.

Mitigation Strategies

To mitigate this vulnerability, you should update your cPanel & WHM installation to a patched version.

  • Run the update command: /scripts/upcp --force
  • Verify the update with: /usr/local/cpanel/cpanel -V

For users on older systems like CentOS 6 or CloudLinux 6, update directly to version v110.0.114.

Compliance Impact

The vulnerability allows arbitrary file read through insufficient input validation, potentially exposing sensitive files to unauthorized access.

Such unauthorized disclosure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and protected health information.

Therefore, if exploited, this vulnerability may compromise confidentiality obligations under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart