Source: Security.NL
According to Security.NL, a new security vulnerability has been discovered in cPanel and WHM, two widely used tools for managing web hosting accounts and servers. The vulnerability, identified as CVE-2026-29202, allows an attacker who already has an account on a server to execute arbitrary Perl code on the underlying machine.
cPanel is a control panel used by individual hosting account holders to manage their websites. WHM (Web Host Manager) is the interface that hosting providers use to manage servers and create cPanel accounts. Many small businesses rely on hosting environments that run on cPanel without necessarily knowing it.
According to Security.NL, the risk is particularly significant on shared hosting servers. On a shared server, multiple customers share the same underlying machine. Because the only requirement to exploit CVE-2026-29202 is having a valid account, any account holder on that shared server could potentially use this vulnerability to run code that affects the entire machine, not just their own account.
This is separate from an earlier vulnerability, CVE-2026-41940, which according to Security.NL was previously exploited to compromise 44,000 cPanel installations.
According to Security.NL, cPanel released updates on 10 May 2026 to address three new vulnerabilities, including CVE-2026-29202. If you manage your own server or have a technical contact who does, checking that cPanel and WHM are updated to the latest version is the right next step.
If you use managed hosting, your hosting provider is responsible for applying these patches. It is worth contacting them to confirm the update has been applied.
For a broader overview of security steps relevant to small business websites, see our security checklist for small businesses.
If your website runs on a shared hosting server using cPanel, this vulnerability is relevant to you even if you did nothing wrong yourself. Contact your hosting provider to ask whether they have applied the latest cPanel security updates. Keeping your hosting environment patched is one of the most straightforward ways to protect your customers' data and your own business continuity.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkThe UK National Cyber Security Centre (NCSC) warned organisations and users about an unprecedented wave of vulnerabilities driven by AI tools capable of finding and exploiting security flaws at scale.
An NCSC-NL advisory page (NCSC-2026-0134) was accessed but only returned a redirect message with no substantive content.
Let's Encrypt stopped issuing certificates for over two hours on the evening of 8 May 2026 due to an incident involving non-compliance with CCADB Policy rules.