CVE-2026-48172
Privilege-escalation flaw in the LiteSpeed cPanel plugin, added to CISA KEV on 26 May 2026.
Last refreshed: 29 May 2026 · Appears in 1 active topic
Why can a plugin flaw in cPanel give attackers control over every website on a shared server?
Timeline for CVE-2026-48172
Mentioned in: GitHub's own code cloned via add-on
Cybersecurity: Threats and Defences- What is CVE-2026-48172 and does it affect my hosting?
- CVE-2026-48172 is a privilege-escalation flaw in the LiteSpeed cPanel plugin, confirmed as actively exploited (CISA KEV, 26 May 2026). It affects servers running cPanel with the LiteSpeed plugin. Contact your hosting provider to confirm whether the patch has been applied.Source: CISA KEV, May 2026
- How dangerous is a privilege escalation bug in cPanel?
- On a shared hosting server, privilege escalation via cPanel can break the tenant-isolation boundary, giving an attacker access to all accounts, databases, and configuration files on the same server. This affects every website hosted on that machine.Source: event
- How do I fix CVE-2026-48172 on my LiteSpeed cPanel server?
- Apply the vendor patch for the LiteSpeed cPanel plugin. On managed or shared hosting, this is typically applied by the hosting provider. Self-managed cPanel users should update the LiteSpeed plugin through WHM or the LiteSpeed admin interface immediately.Source: event
Background
CVE-2026-48172 is a privilege-escalation vulnerability in the LiteSpeed plugin for cPanel, a widely-deployed web hosting control panel. The flaw was added to CISA's Known Exploited Vulnerabilities catalogue on 26 May 2026, confirming active exploitation. LiteSpeed is a high-performance web server and caching layer used extensively by web-hosting providers and managed WordPress hosts; its cPanel integration manages server configuration and virtualhost settings. A privilege-escalation flaw in this context can allow an attacker with limited hosting-account access to gain elevated server-level privileges.
cPanel-hosted environments are disproportionately represented in the shared and SME hosting segment, where multiple tenants share a single server and privilege boundaries between accounts are the primary security control. Privilege escalation via a server plugin removes those boundaries, potentially exposing the data and configurations of all tenants on the affected server. LiteSpeed's broad adoption in the managed WordPress hosting ecosystem means the affected population extends across millions of hosted websites.
The May 2026 KEV listing is one of several privilege-escalation CVEs to reach the KEV catalogue in Q2 2026, reflecting a sustained attacker focus on server-side privilege boundaries. Web hosting infrastructure is frequently overlooked in enterprise patch-management cycles because control panel software sits outside standard OS update mechanisms and may require hosting provider action rather than customer-level patching.
