Security Advisory - Published 2026-06-14 - cPanel / WHM

LiteSpeed cPanel Plugin CVE-2026-54420: shared hosting self-check

If you run LiteSpeed on WHM/cPanel shared hosting, check the user-end cPanel plugin first. The risky setup is a shared host where customer accounts can reach the LiteSpeed cPanel plugin and CloudLinux/CageFS is in use.

Defensive scope: this page covers version checks, log review, patching, and compromise cleanup. It keeps attack strings and unauthorized testing steps out of the page.

Who should check

AreaWhat to verifyWhy it matters
LiteSpeed cPanel user-end pluginVersion before 2.4.8 is affected.This is the component exposed to cPanel users.
LiteSpeed WHM PluginUse 5.3.2.1 or newer so the bundled user-end plugin is fixed.WHM plugin updates are the normal patch path.
Hosting modelShared hosting with CloudLinux/CageFS deserves priority review.The vendor reported active exploitation in this kind of environment.
Customer accessFTP, web shell, or cPanel user access on the server.A compromised or malicious user account can turn this into a server-level incident.

5-minute self-check

  1. Confirm the LiteSpeed WHM Plugin version in WHM and verify the bundled cPanel user-end plugin is 2.4.8 or newer.
  2. Check whether the server hosts multiple customer accounts with CloudLinux/CageFS enabled.
  3. Review cPanel and WHM logs before closing the incident, especially if the server had public customer login access.
grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

The vendor published this as a defensive log check. No output reduces the chance of this specific trace, but it does not replace a normal incident review when the server had suspicious account activity.

Safe fix path

  • Upgrade LiteSpeed WHM Plugin to 5.3.2.1 or newer, then confirm the cPanel user-end plugin is 2.4.8 or newer.
  • If you cannot update immediately, remove or disable the user-end plugin until the maintenance window is finished.
  • Review recent cPanel sessions, FTP activity, SSH keys, cron entries, package changes, and unexpected root-level changes.
  • Rotate credentials for affected hosting accounts after cleanup, not before evidence is captured.

When to request repair help

Use Ping7 CVE Repair if the log check returns matches, if customer accounts were compromised, or if WHM/cPanel actions changed without a known administrator. Shared hosting incidents need a careful order: preserve logs, patch the plugin, check root-level persistence, then clean customer accounts.

References