429 CVEs

1 in CISA KEV

cpanel Vulnerabilities

CVE security advisories and vulnerability history for cpanel.

429

Total CVEs

Published

1

In CISA KEV

Exploited in the wild

30

Public exploits

With known exploit

8.4

Avg CVSS

2003–2026

Overview

cpanel has 429 published CVE records since 2003, of which 1 are in CISA's Known Exploited Vulnerabilities catalog and 30 have a known public exploit. The average CVSS base score across scored CVEs is 8.4.

This page aggregates every publicly disclosed vulnerability (CVE) affecting cpanel products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of cpanel's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical2

High2

Medium1

Low0

424 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

1

One of cpanel's CVEs is confirmed exploited in the wild.

Public exploits

30

30 of cpanel's CVEs have a known public exploit available.

Most affected products

The cpanel products with the most published CVEs.

cpanel420 CVEs
webhost manager5 CVEs
whm3 CVEs
cgiecho3 CVEs
cgiemail3 CVEs
fantastico de luxe3 CVEs
wp squared1 CVEs
cpanel\1 CVEs

Common weakness types

The CWE weakness categories most often found in cpanel CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish cpanel CVE records.

Disclosure activity by year

How many cpanel CVEs were published each year.

2018

1

2019

321

2020

44

2021

10

2023

1

2024

1

2025

1

2026

1

Latest cpanel CVEs

The most recently disclosed vulnerabilities affecting cpanel.

WebPros cPanel and WHM Authentication Bypass via Login Flow
CISA KEV
CWE-306
Critical · CVSS 9.8
EPSS 90.8%2026-04-29
High vulnerability · 2025-12-11
CWE-22
High · CVSS 8.8
EPSS 0.1%2025-12-11
Critical vulnerability · 2024-02-13
CWE-125
Critical · CVSS 9.1
EPSS 0.1%2024-02-13
Medium vulnerability · 2023-04-27
Medium · CVSS 5.3
EPSS 92.9%2023-04-27
Vulnerability vulnerability · 2021-08-11
Unscored
EPSS 0.6%2021-08-11
Vulnerability vulnerability · 2021-08-11
Unscored
EPSS 1.5%2021-08-11
Vulnerability vulnerability · 2021-08-11
Unscored
EPSS 0.1%2021-08-11
Vulnerability vulnerability · 2021-08-11
Unscored
EPSS 0.3%2021-08-11
Vulnerability vulnerability · 2021-08-11
Unscored
EPSS 0.2%2021-08-11
Vulnerability vulnerability · 2021-08-11
Unscored
EPSS 0.6%2021-08-11
Vulnerability vulnerability · 2021-08-11
Unscored
EPSS 0.0%2021-08-11
Vulnerability vulnerability · 2021-04-26
Unscored
EPSS 0.4%2021-04-26

Track new cpanel CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor cpanel CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

citrix452 CVEs Hewlett Packard Enterprise (HPE)450 CVEs mediawiki441 CVEs tensorflow433 CVEs Trend Micro423 CVEs qemu423 CVEs emc416 CVEs mariadb415 CVEs

Browse all vendors

Frequently asked questions

Common questions about cpanel vulnerabilities.

How many CVEs does cpanel have?

cpanel has 429 published CVE records since 2003, including 2 in the last two years.

How many cpanel CVEs are in CISA KEV?

Yes — 1 of cpanel's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which cpanel products have the most CVEs?

The cpanel products with the most published CVEs are cpanel, webhost manager, whm, cgiecho, cgiemail.

What are the most common weakness types in cpanel CVEs?

cpanel's CVEs most often map to these CWE weakness types: CWE-125 (Out-of-bounds Read), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-276 (Incorrect Default Permissions), CWE-306 (Missing Authentication for Critical Function).

Are there public exploits for cpanel vulnerabilities?

Yes — 30 of cpanel's CVEs have a known public exploit.

How many critical cpanel vulnerabilities are there?

cpanel has 2 critical and 2 high-severity CVEs.

What is the average severity of cpanel CVEs?

The average CVSS base score across cpanel's scored CVEs is 8.4.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track cpanel vulnerabilities

Monitor new cpanel vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing