CVE-2026-29202
Insufficient Input Validation Leads to Arbitrary Perl Code Execution
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cpanel | whm | From 11.136.0.9 (inc) |
| wp_squared | wp_squared | From 11.136.1.10 (inc) |
| cpanel | whm | v110.0.114 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary Perl code execution on behalf of an authenticated system user, which can lead to unauthorized access and potential data breaches.
Such unauthorized access and potential compromise of system integrity can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.
Organizations using affected versions should apply the security updates promptly to mitigate risks and maintain compliance.
Can you explain this vulnerability to me?
This vulnerability involves insufficient input validation of the `plugin` parameter in the `create_user` plugin. Because of this flaw, an attacker who is already authenticated can execute arbitrary Perl code on the system with the privileges of the authenticated user's system account.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of cPanel & WHM or WP Squared installed on your system to ensure it is not an affected version.
You can check the current cPanel version using the command:
- /usr/local/cpanel/cpanel -V
If the version is older than 11.136.0.9 for cPanel & WHM or 11.136.1.10 for WP Squared, your system may be vulnerable.
How can this vulnerability impact me? :
The vulnerability allows an authenticated user to run arbitrary Perl code on the system, which can lead to unauthorized actions such as data manipulation, privilege escalation, or system compromise depending on the permissions of the affected user account.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update your cPanel & WHM or WP Squared installation to a patched version.
For cPanel & WHM, run the following command to force an update:
- /scripts/upcp --force
After the update, verify the installed version with:
- /usr/local/cpanel/cpanel -V
Ensure the version is at least 11.136.0.9 for cPanel & WHM or 11.136.1.10 for WP Squared. For older systems like CentOS 6 or CloudLinux 6, update directly to version v110.0.114.
Following these steps will protect your system from arbitrary Perl code execution via the create_user plugin vulnerability.