LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
CVSS 10.0 flaw CVE-2026-48172 in LiteSpeed’s cPanel plugin is actively exploited to run arbitrary scripts as root. Patch to WHM plugin 5.3.1.0 immediately or uninstall.
What’s new: A critical vulnerability, CVE-2026-48172 (CVSS score: 10.0), has been discovered in the LiteSpeed User-End cPanel Plugin, allowing attackers to execute arbitrary scripts as root. This flaw affects all versions of the plugin from 2.3 to 2.4.4 and is currently being actively exploited in the wild.
Who’s affected
All users of the LiteSpeed User-End cPanel Plugin versions 2.3 to 2.4.4 are at risk. The LiteSpeed WHM plugin itself is not impacted, but any host running the vulnerable user-end plugin should treat this as urgent.
What to do
- Upgrade immediately to LiteSpeed WHM Plugin version 5.3.1.0, which bundles cPanel plugin version 2.4.7 or higher.
- If immediate patching is not possible, uninstall the user-end plugin:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall - Check for exploitation indicators by running:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null— investigate any suspicious IP addresses in the output.
