CVE-2026-54420

HIGH · 8.5 KEV EPSS 0.6%

hype ACTIVE HACK · 92 hack

CISA KEV + May in-the-wild exploitation + government three-day deadline = validated active threat.

What: LiteSpeed cPanel plugin before 2.4.8 mishandles symlinks, allowing FTP/web shell users on shared CloudLinux/CageFS servers to escalate privileges (CVSS 8.5).

Why it matters: KEV-listed 2026-06-15; confirmed in-the-wild exploitation in May 2026. CISA issued emergency directive requiring federal agencies patch by June 18. Shared hosting blast radius affects thousands of tenants per server.

Where it's seen: CISA advisory, news coverage, vendor patches, C-suite briefings. Social chatter dominated by government deadline and active threat confirmation. No speculation—all posts cite CISA KEV listing and May exploitation.

RISK: CRITICAL — KEV-listed, active exploitation confirmed, federal patch mandate, privilege escalation on shared hosting.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/16/2026, 4:19:31 PM

Description

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

CVSS 3.1 breakdown

Exploitability 1.8 · Impact 6.0

vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack vector: Network
Complexity: High
Privileges required: Low
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

CWE-61

References

Other · 2