A low-privilege cPanel account is all an attacker needs to seize full control of an entire shared server. That is the practical consequence of CVE-2026-48172, a privilege escalation flaw in the LiteSpeed User-End cPanel Plugin that the US Cybersecurity and Infrastructure Security Agency (CISA) added to its Known Exploited Vulnerabilities (KEV) catalogue on 26 May 2026 — confirming exploitation in the wild before a patch was widely deployed.

What the Vulnerability Does

The flaw sits in the plugin's JSON API, specifically in the function that toggles Redis caching on or off for individual cPanel accounts (lsws.redisAble). The function passes user-supplied input to backend operations that run as root without adequate validation. Any authenticated cPanel user — including a low-privilege tenant on a shared server, or any account compromised via phishing or credential stuffing — can send a crafted request to that endpoint and execute arbitrary scripts with full server privileges.

LiteSpeed Technologies stated the vulnerability "is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4." cPanel separately noted the exploit "allowed unauthorised root access to the server." Root access on a shared hosting machine means every domain, database, and mail account hosted on that machine is exposed — not just the account used to trigger the exploit.

Note: this article describes the attack class for defensive purposes only. No exploit code or step-by-step reproduction details are included.

Scoring and Classification

10.0CVSS v4.0 score (maximum possible)
v2.3–2.4.4Vulnerable user-end plugin versions
26 May 2026Added to CISA KEV catalogue
29 May 2026Federal agency patch deadline (BOD 22-01)

The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment). SecurityWeek reported a score of 9.8; thecyberthrone.in attributes this to CVSS v3.x, with the CVSS v4.0 score recorded by cvefeed.io as 10.0 — the maximum possible under the newer framework.

Timeline

On 19 May 2026, cPanel pushed a nightly update that removed the LiteSpeed user-end plugin from auto-installation across all cPanel versions. That action was cPanel's own emergency response, not a LiteSpeed fix. LiteSpeed Technologies published its own patched releases on 21 May 2026 — specifically LiteSpeed cPanel User-End Plugin v2.4.5 and v2.4.7. The WHM Plugin v5.3.1.0, released the same day, bundles the patched user-end component at v2.4.7 but is not itself the source of the vulnerability, according to SecurityWeek. CISA's KEV listing followed on 26 May, with federal agencies given until 29 May to comply under Binding Operational Directive 22-01. Active exploitation preceded both the cPanel and LiteSpeed responses, qualifying this as a zero-day.

Who Is Affected

Any shared hosting or managed hosting environment running the LiteSpeed User-End cPanel Plugin in versions 2.3 through 2.4.4 is potentially compromised if not yet patched. LiteSpeed Web Server is one of the most deployed alternatives to Apache and Nginx in the shared hosting market, with broad adoption among budget and mid-tier hosting providers. That market segment dominates entry-price plans for small and medium enterprises across Southeast Asia, where cPanel-based stacks are standard. Hosting providers in the region that have not applied the update, or whose customers self-manage plugin versions, face the greatest residual exposure.

The multi-tenant nature of shared hosting multiplies the damage potential. One exploited account yields root access to every co-tenant — a single breach point cascades into a platform-wide incident.

What Operators Should Do Now

The fix targets the user-end plugin directly: confirm the installed version is at least v2.4.5. Administrators managing via WHM can install WHM Plugin v5.3.1.0 or higher as a convenience path — that release is not itself vulnerable but bundles the patched user-end plugin at v2.4.7, making it a single-step upgrade for WHM-managed hosts. If compromise is suspected, LiteSpeed recommends searching access logs for requests matching the pattern cpanel_jsonapi_func=redisAble, rotating all credentials (database passwords, API keys, SSH keys), and auditing system access records for post-exploitation activity. Restricting cPanel and WHM interfaces to trusted IP ranges or VPN-protected networks reduces the attack surface for this class of flaw going forward.