cPanel Security Patch Coming May 13, 2026: Five CVEs Up to High Severity

cPanel has disclosed five new security vulnerabilities with a cPanel security patch scheduled for release today, May 13, 2026, at 1:00pm EST. Severity reaches up to High. There are no known exploits or proof-of-concept code in the wild at this time.

InMotion Hosting customers on Shared, WordPress, and Reseller plans do not need to take any action. Customers on VPS or Dedicated servers who manage their own cPanel updates should read on.

What We Know About the cPanel Security Patch

cPanel’s pre-release notification identifies five vulnerabilities. All five were either responsibly disclosed by external security researchers or identified internally by cPanel’s security team. Technical details for each CVE are under embargo until the patch goes live at 1:00pm EST. cPanel will publish the full technical advisory alongside the patch.

The five CVE identifiers are:

• CVE-2026-29205
• CVE-2026-29206
• CVE-2026-32991
• CVE-2026-32992
• CVE-2026-32993

Note: Patched build numbers and full technical details will be published by cPanel at 1:00pm EST today. This article will be updated with the advisory link and confirmed patched versions once they are available.

Affected Versions

The following cPanel & WHM versions are affected by one or more of these vulnerabilities:

• 86
• 94
• 102
• 110
• 110 CL6
• 118
• 124
• 126
• 130
• 132
• 134
• 136
• 136 (WP2)

What You Should Do

Managed Servers (no action required)

Customers on Shared Hosting, Reseller Hosting, WordPress Hosting, Managed VPS, and Managed Dedicated plans have their cPanel updates managed by InMotion Hosting. The patch will be automatically applied across our fleet once it becomes available. You do not need to run any commands or make any changes to your account.

Self-managed VPS and Dedicated servers (action required)

If you have a VPS or Dedicated Server with WHM root access and you manage your own cPanel updates, confirm your update configuration before 1:00pm EST today. To check which version of cPanel & WHM is running, log in via SSH and run:

/usr/local/cpanel/cpanel -V

If your server is on any of the affected versions listed above, check /etc/cpupdate.conf to confirm how updates are configured. If automatic updates are enabled and your server is not version-pinned, the patch will apply automatically after 1:00pm EST. If automatic updates are disabled or your server is pinned to a specific version, run the following command after 1:00pm EST to apply the patch manually:

/scripts/upcp

Do not run /scripts/upcp before 1:00pm EST. The patched build will not be available until cPanel releases it.

If your environment requires a maintenance window, notify the relevant parties now so they are ready when the patch drops.

CloudLinux 6 note

Important: If your server runs cPanel version 110 on CloudLinux 6 (listed as 110 CL6 in the affected versions above), you must set the update tier to the cl6110 branch before running /scripts/upcp. Run the following command first:

sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf

Then run /scripts/upcp to apply the patch. Skipping the tier change on a CloudLinux 6 server may result in the wrong build being installed. For help accessing your server via SSH, see How to Connect to Your Server with SSH.

What Comes Next

After the patch releases at 1:00pm EST, cPanel will publish a follow-up notification with the exact patched build numbers for each affected version and a link to the full technical advisory covering all five CVEs. InMotion Hosting will update this article with that information and a direct link to the cPanel advisory once it is available.

If you have questions about your specific server environment, contact us for further assistance. For questions about running /scripts/upcp or interpreting the output, refer to the cPanel update preferences documentation once the official advisory publishes later today.