Security Advisory - LiteSpeed Privilege Escalation Vulnerability CVE-2026-48172

Update timeline

1. identified May 25, 2026, 07:17 PM UTC

   A recently disclosed vulnerability (CVE-2026-48172) in the LiteSpeed user-end cPanel plugin allows an unprivileged user to escalate to root privileges in plugin versions between v2.3 and v2.4.4. This issue has been classified as high severity. Public reports suggest the vulnerability was being exploited in the wild in May 2026, and indicators of compromise have been published. On May 19th cPanel issued a separate update which disabled and removed the plugin. This vulnerability is patched in v2.4.7 of the user-end plugin and v5.3.1.0 of the WHM plugin (which bundles the user-end plugin). Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-48172 https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/ https://support.cpanel.net/hc/en-us/articles/40599423437079-Security-LiteSpeed-plugin-automatically-removed-during-nightly-update-May-19-2026 Status Our security and operations teams are completing an assessment of our infrastructure and will force a upcp update today for all systems we are able to reach. We plan to review for Indicators of Compromise following the updates. Customer Guidance Customers managing their own systems or using unmanaged services should ensure they have applied the latest security updates or have removed the plugin. Customers should also review their systems for indicators of compromise using the information provided in the LiteSpeed blog article. Should you need any assistance or have any questions or concerns, you can reach us through the following channels: Live Chat via the Customer Portal: https://my.liquidweb.com Email: [email protected] We will continue monitoring this vulnerability and will provide updates if new information becomes available.