CVE-2026-29205

HIGH · 8.6

hype LIKELY HACK · 68 hack

Real vuln, withheld PoC, incomplete patches, but not KEV-listed or in-the-wild confirmed.

What: Incorrect privilege management and insufficient path filtering in cPanel's cpdavd attachment download endpoints allow unauthenticated arbitrary file read (CVSS 8.6).

Why it matters: Published yesterday; researchers withheld PoC pending complete patch, noting cPanel's initial fix (11.134.0.26) is incomplete. High CVSS and pre-auth nature drive urgent patching. Not yet KEV-listed but active vendor iteration signals real exploitation risk.

Where it's seen: Vendor advisory circulation, researcher posts flagging incomplete patches, hosting providers amplifying urgency, multilingual security feeds republishing NVD data. One misattribution claiming Apache Cassandra (false).

RISK: HIGH — Pre-auth arbitrary file read affecting cPanel; incomplete initial patch; active researcher concern.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/14/2026, 11:54:40 AM

Description

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

CVSS 3.1 breakdown

Exploitability 3.9 · Impact 4.7

vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Attack vector: Network
Complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: Low
Availability: Low

Weaknesses

CWE-250

References

Other · 1

https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026