CVE-2026-48172: How one cPanel account can take down an entire shared server
The LiteSpeed User-End cPanel Plugin has a flaw that converts any authenticated low-privilege cPanel user into a root-level attacker with full control over the host server. CISA added it to the Known Exploited Vulnerabilities catalog on May 26, 2026, with a remediation deadline of May 29, 2026 for federal civilian agencies. That deadline is today.
What the vulnerability does
CVE-2026-48172 lives in versions 2.3 through 2.4.4 of the LiteSpeed User-End cPanel Plugin. The flaw is classified under CWE-266 (Incorrect Privilege Assignment).
The plugin exposes a JSON API that includes a function called lsws.redisAble. This function controls Redis on/off behavior for individual hosting accounts. The problem: user-supplied input from the API request reaches backend operations that run with root privileges, without passing through any validation. A specially crafted request to lsws.redisAble causes arbitrary scripts to execute as root.
No special conditions are required. Any authenticated cPanel account, including a low-privilege reseller or shared hosting customer account, can trigger the flaw.
Why shared hosting makes this worse
Shared hosting puts hundreds of cPanel accounts on a single physical or virtual server. Each account belongs to a different customer, and the entire security model assumes that accounts are isolated from each other.
CVE-2026-48172 collapses that isolation. A single exploited account, whether compromised via phishing, credential stuffing, or controlled by a malicious actor who simply bought hosting, gives an attacker root access to every database, every email account, every set of stored credentials, and every website on the server.
The blast radius is not one customer. It is every customer on that host.
How to detect exploitation attempts
Tenable recommends scanning LiteSpeed and cPanel logs for exploitation attempts using this command:
Any match warrants immediate investigation.
How to fix it
Upgrade the LiteSpeed User-End cPanel Plugin to version 2.4.5 or later. LiteSpeed resolved the flaw in that release.
If you are a shared hosting customer rather than an operator, you cannot apply this patch yourself. Contact your hosting provider and ask them to confirm they are running LiteSpeed plugin 2.4.5 or later. If they cannot confirm it, consider the urgency. CISA's four-day deadline reflects active exploitation in the wild.
The broader pattern
This type of vulnerability, where user-facing input reaches privileged backend operations without validation, is a recurring failure in hosting control panel software. The cPanel and Plesk ecosystems have a long history of privilege-escalation flaws precisely because they bridge customer-controlled input with system-level operations.
The lesson is not specific to LiteSpeed or cPanel. Any software that accepts user input and passes it to a component running with elevated privileges needs strict input validation and privilege separation at the boundary. Shared hosting operators should audit their plugin inventories for similar patterns.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are dealing with a hosting security incident or vulnerability disclosure.