Autres informations et services du gouvernement : www.belgium.be Centre for Cybersecurity Belgium

Warning: CVE-2026-48172, a critical LiteSpeed cPanel/WHM plugin flaw, is being actively exploited. Patch Immediately!

Image
Decorative image
Publié : 26/05/2026
  • Last Update: 26/05/2026

    * Affected products:
         → LiteSpeed Technologies; cPanel Plugin Linux, affected from 2.3 before 2.4.7
         → LiteSpeed Technologies; WHM Plugin Linux affected from 0 before 5.3.1.0

    * Type: Incorrect Privilege Assignment

    * CVE/CVSS:

CVE-2026-48172: CVSS 10.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Sources

LiteSpeed - https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/

Risks

LiteSpeed Technologies has released security updates addressing a critical privilege escalation vulnerability, CVE-2026-48172, affecting the LiteSpeed cPanel Plugin and WHM Plugin for Linux systems.

LiteSpeed’s cPanel and WHM plugins are widely used in the web hosting industry to integrate LiteSpeed Web Server (LSWS) with cPanel/WHM hosting environments.

The vulnerability is confirmed as being actively exploited in the wild and poses a risk for all user-end plugin versions between v2.3 and v2.4.4.

Successful exploitation of this vulnerability could allow attackers to:

  • gain elevated (including root) privileges on affected systems,
  • execute arbitrary commands,
  • compromise hosted websites and customer accounts,
  • alter server configurations,
  • fully compromise vulnerable hosting environments.

Description

CVE-2026-48172 (CVSS score of 10.0) is an incorrect privilege assignment vulnerability (CWE-266) affecting:

  • LiteSpeed cPanel Plugin versions from 2.3 before 2.4.7,
  • LiteSpeed WHM Plugin versions before 5.3.1.0.

The vulnerability is related to improper handling of Redis enable/disable functionality through the lsws.redisAble function.

An authenticated cPanel user, including a compromised account, may exploit the flaw to execute arbitrary scripts with root privileges.

The vulnerability can be detected via grep for "cpanel_jsonapi_func=redisAble" in cPanel logs.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-48172
CVE - https://www.cve.org/CVERecord?id=CVE-2026-48172