The U.S. Cybersecurity and Infrastructure Security Agency has added a LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog, and federal civilian agencies must apply fixes by June 18, 2026. The issue, tracked as CVE-2026-54420, carries a CVSS score of 8.5 and can let a user with FTP or web shell access escalate to root on shared hosting servers running CloudLinux or CageFS.
KEY FACTS
- Severity CVE-2026-54420 has a CVSS score of 8.5.
- Impact The flaw can allow privilege escalation to root on shared hosting servers.
- Affected software LiteSpeed cPanel Plugin before 2.4.8 and LiteSpeed WHM PlugIn before 5.3.2.0.
- Deadline FCEB agencies must remediate by June 18, 2026.
A technical advisory from CISA placed the flaw in the KEV catalog after it was reported by Namecheap on May 31, 2026. The disclosure says the plugin mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux or CageFS.
LiteSpeed said users can run a grep command against cPanel logs to check whether their servers were affected. If the command returns no output, the company said the server has not been impacted. If output appears, it listed indicators to help rule out false positives, including a generateEcCert call immediately followed by packageUserSize for the same user and seven to 10 concurrent calls per attempt.
It is not known whether the vulnerability has been exploited in the wild or whether any attacks have succeeded. LiteSpeed said users should upgrade to LiteSpeed WHM Plugin v5.3.2.1, bundled with cPanel plugin v2.4.8, or later to patch the issue.
WHY IT MATTERS
The KEV listing signals that CISA considers the flaw actively exploited or at heightened risk, which makes patching more urgent for affected hosting environments. Shared servers using the plugin may face root-level compromise if the issue is not addressed.