CVE-2026-48172: Root Privilege Escalation in LiteSpeed cPanel Plugin

A critical vulnerability, identified as CVE-2026-48172, affects the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4. This security flaw carries a CVSS v4.0 score of 10.0, marking it as highly severe. Any authenticated cPanel user—with no special privileges—can execute arbitrary scripts with root-level access on the underlying server, potentially compromising all customers on that shared hosting environment.

Discovered and disclosed on May 21, 2026, this vulnerability has already been actively exploited. It is listed in the CISA Known Exploited Vulnerabilities catalog, indicating a heightened level of urgency for remediation. A patch was issued alongside the WHM Plugin 5.3.1.0 and cPanel Plugin 2.4.7.

Impact of the Vulnerability

The underlying flaw resides in the lsws.redisAble function, which manages Redis operations within the plugin. This function can be accessed by any authenticated cPanel user, allowing a compromised account to execute malicious scripts with root privileges. As a result, an attacker can seize control of the host machine, thereby affecting other tenants sharing the same server.

The high CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) illustrates that this vulnerability can be exploited over a network with minimal complexity and without requiring elevated permissions or user interaction.

Patching and Mitigation

To mitigate this issue, affected users must upgrade to WHM Plugin 5.3.1.0 along with cPanel Plugin 2.4.7, as previous versions only provided partial fixes. If immediate patching isn’t feasible, the vulnerable component can be completely uninstalled with the following command:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

Exploitation Activity

Automated attacks targeting unpatched installations are already widespread, employing various malware and ransomware tactics. The swift transition from disclosure to exploitation highlights the urgent need for patching. CISA’s entry of this vulnerability into their catalog on May 26, 2026, with a federal patch deadline of June 16, underscores the risk posed by this vulnerability.

Key Actions Before the Deadline

1. Upgrade to the complete fix using WHM Plugin 5.3.1.0 and cPanel Plugin 2.4.7 across all servers.
2. If unable to patch immediately, uninstall the vulnerable plugin to prevent potential exploitation.
3. Examine server logs for any signs of exploitation using the appropriate command to check previous activity.
4. Conduct a comprehensive audit of all servers in the network to identify and patch any that may still be vulnerable.

For businesses utilizing LiteSpeed with cPanel, even a newly created low-tier account poses a significant security risk due to this vulnerability. Immediate action is essential to protect the integrity of the hosting environment.

Additional Resources

• CVE-2026-48172 – NVD (official)
• Security Update for LiteSpeed cPanel Plugin – LiteSpeed Blog
• Known Exploited Vulnerabilities Catalog – CISA

LowEndBox is a go-to resource for those seeking budget-friendly hosting solutions. This editorial focuses on syndicated news articles, delivering timely information and insights about web hosting, technology, and internet services that cater specifically to the LowEndBox community. With a wide range of topics covered, it serves as a comprehensive source of up-to-date content, helping users stay informed about the rapidly changing landscape of affordable hosting solutions.

News Team

At LowEndBox, our News and Editorial Team is dedicated to delivering timely, accurate, and actionable content tailored to the needs of developers, hosting enthusiasts, and infrastructure professionals. We curate, report, and analyze the latest developments in the world of hosting, cloud infrastructure, data centers, open-source platforms, and internet services, always with a focus on value, performance, and accessibility.

Our team monitors the global hosting landscape to bring you breaking news, vendor updates, platform changes, market trends, and expert insights. Whether it’s a price hike from a major control panel, a breakthrough in virtualization technology, or a new indie provider shaking up the market, we strive to deliver content that empowers the LowEnd community to stay informed and ahead of the curve.

We also collaborate closely with the vibrant LowEndTalk community to surface meaningful discussions, highlight real-world deployments, and share voices from within the ecosystem.

Our mission is simple: to help you make smarter infrastructure decisions by delivering the stories that matter, clearly, consistently, and without hype.

Stay tuned for fresh editorial content, in-depth analyses, and community-powered features from the team that keeps LowEndBox running.