CVE-2026-29203HIGH 8.8EPSS p38.4%

CVE-2026-29203CVE-2026-29203

Description

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.4% · 2026-06-18T12:00:27Z
Published2026-05-08
Last modified2026-05-15

Underlying weaknesses· 1

CWE-61

References

  1. https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026

1

TypeTargetConfidenceTier
WeaknessUNIX Symbolic Link (Symlink) Followingcwe-610%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66429
CVE
LiteSpeed cPanel Plugin Privilege Escalation Vulnerability
CVE
CVE-2025-39491
CVE
CVE-2026-29202
CVE
CVE-2026-44051
CVE
CVE-2025-66430
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.