
CVE-2026-48172
Privilege-escalation flaw in the LiteSpeed cPanel plugin, added to CISA KEV on 26 May 2026.
Last refreshed: 29 May 2026 · Appears in 1 active topic
Why can a plugin flaw in cPanel give attackers control over every website on a shared server?
Timeline for CVE-2026-48172
Microsoft ends the Nightmare Eclipse run
Cybersecurity: Threats and DefencesBlueHammer turns into a ransomware step
Cybersecurity: Threats and DefencesCisco tops a five-vendor KEV batch
Cybersecurity: Threats and DefencesAllowed incorrect tunnel-type decapsulation on affected Arista switch series
Cybersecurity: Threats and Defences: Arista refuses to patch KEV flawEnabled unauthenticated service crash via crafted deflate-header HTTP POST request
Cybersecurity: Threats and Defences: SolarWinds Serv-U back on KEV listWhat is CVE-2026-48172 and does it affect my hosting?
How dangerous is a privilege escalation bug in cPanel?
How do I fix CVE-2026-48172 on my LiteSpeed cPanel server?
Background
CVE-2026-48172 is a privilege-escalation vulnerability in the LiteSpeed plugin for cPanel, a widely-deployed web hosting control panel. The flaw was added to CISA's Known Exploited Vulnerabilities catalogue on 26 May 2026, confirming active exploitation. LiteSpeed is a high-performance web server and caching layer used extensively by web-hosting providers and managed WordPress hosts; its cPanel integration manages server configuration and virtualhost settings. A privilege-escalation flaw in this context can allow an attacker with limited hosting-account access to gain elevated server-level privileges.
cPanel-hosted environments are disproportionately represented in the shared and SME hosting segment, where multiple tenants share a single server and privilege boundaries between accounts are the primary security control. Privilege escalation via a server plugin removes those boundaries, potentially exposing the data and configurations of all tenants on the affected server. LiteSpeed's broad adoption in the managed WordPress hosting ecosystem means the affected population extends across millions of hosted websites.
The May 2026 KEV listing is one of several privilege-escalation CVEs to reach the KEV catalogue in Q2 2026, reflecting a sustained attacker focus on server-side privilege boundaries. Web hosting infrastructure is frequently overlooked in enterprise patch-management cycles because control panel software sits outside standard OS update mechanisms and may require hosting provider action rather than customer-level patching.