CVE-2026-29205

8.6

High

Published:13 May 2026

Last updated:17 Jun 2026

Source:support@hackerone.com

Awaiting Analysis

Weakness (CWE)

CWE-250CWE-250

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: Low
Availability: Low

View on MITRE Find PoC on GitHub

Description

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

References

support@hackerone.com

https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026