CISA says a critical bug in the LiteSpeed user-end plugin for cPanel is being actively exploited and can give attackers root-level control of affected servers. The flaw, CVE-2026-48172, is a 9.8-severity privilege-escalation vulnerability affecting user-end plugin versions 2.3 through 2.4.4; LiteSpeed fixed it in version 2.4.5, later bundled in WHM Plugin 5.3.1.0 with user-end plugin 2.4.7, while cPanel also removed the vulnerable plugin via a nightly update on May 19.
Why it matters: Organizations running cPanel with the LiteSpeed user-end plugin could be exposed to full server compromise, so this is an update-now or remove-now situation. Admins should upgrade immediately, remove the plugin if they cannot patch, and review logs and suspicious IP activity for signs of exploitation.
Sergiu Gatlan
2026.05.27
98% relevant
This article covers the same underlying event—active exploitation of LiteSpeed cPanel plugin flaw CVE-2026-48172 and CISA's KEV action—and adds the concrete BOD 22-01 deadline giving U.S. federal agencies four days, until May 29, 2026, to patch or discontinue use.
Ionut Arghire
2026.05.27
100% relevant
This article establishes a new tracked story centered on CVE-2026-48172: an actively exploited LiteSpeed cPanel plugin zero-day, its vendor fix, cPanel mitigation, and CISA KEV listing.
← Back to all stories