Security Advisory - Published 2026-06-14 - cPanel / WHM
LiteSpeed cPanel Plugin CVE-2026-54420: shared hosting self-check
If you run LiteSpeed on WHM/cPanel shared hosting, check the user-end cPanel plugin first. The risky setup is a shared host where customer accounts can reach the LiteSpeed cPanel plugin and CloudLinux/CageFS is in use.
Who should check
| Area | What to verify | Why it matters |
|---|---|---|
| LiteSpeed cPanel user-end plugin | Version before 2.4.8 is affected. | This is the component exposed to cPanel users. |
| LiteSpeed WHM Plugin | Use 5.3.2.1 or newer so the bundled user-end plugin is fixed. | WHM plugin updates are the normal patch path. |
| Hosting model | Shared hosting with CloudLinux/CageFS deserves priority review. | The vendor reported active exploitation in this kind of environment. |
| Customer access | FTP, web shell, or cPanel user access on the server. | A compromised or malicious user account can turn this into a server-level incident. |
5-minute self-check
- Confirm the LiteSpeed WHM Plugin version in WHM and verify the bundled cPanel user-end plugin is 2.4.8 or newer.
- Check whether the server hosts multiple customer accounts with CloudLinux/CageFS enabled.
- Review cPanel and WHM logs before closing the incident, especially if the server had public customer login access.
grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null The vendor published this as a defensive log check. No output reduces the chance of this specific trace, but it does not replace a normal incident review when the server had suspicious account activity.
Safe fix path
- Upgrade LiteSpeed WHM Plugin to 5.3.2.1 or newer, then confirm the cPanel user-end plugin is 2.4.8 or newer.
- If you cannot update immediately, remove or disable the user-end plugin until the maintenance window is finished.
- Review recent cPanel sessions, FTP activity, SSH keys, cron entries, package changes, and unexpected root-level changes.
- Rotate credentials for affected hosting accounts after cleanup, not before evidence is captured.
When to request repair help
Use Ping7 CVE Repair if the log check returns matches, if customer accounts were compromised, or if WHM/cPanel actions changed without a known administrator. Shared hosting incidents need a careful order: preserve logs, patch the plugin, check root-level persistence, then clean customer accounts.