A critical privilege escalation flaw in the LiteSpeed User-End cPanel Plugin lets any cPanel user account execute arbitrary scripts as root, and CISA has confirmed active exploitation by adding it to the KEV catalog on 2026-05-26.
What Is It
CVE-2026-48172 is a privilege escalation vulnerability (CWE-266, Incorrect Privilege Assignment) in the LiteSpeed User-End cPanel Plugin. The root cause is mishandling of the Redis enable/disable features exposed through the user-end plugin, which allows any cPanel user account to execute arbitrary scripts with root privileges. The flaw was exploited in the wild in May 2026.
NVD assigns the issue a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 base score of 10.0 (Critical), with a vector indicating network attack, low complexity, no privileges required, and no user interaction (AV:N/AC:L/PR:N/UI:N), with high impact to confidentiality, integrity, and availability.
Why It Matters
CISA added CVE-2026-48172 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-05-26, confirming observed in-the-wild exploitation. The required action deadline for federal agencies under BOD 22-01 is 2026-05-29; a three-day window underscoring the urgency. Known ransomware campaign use is currently listed as Unknown. Because the bug yields root from any low-privileged cPanel user, a single compromised hosting customer can lead to full server takeover, with knock-on impact across every tenant on the affected host.
What's Vulnerable
- LiteSpeed User-End cPanel Plugin in all versions before 2.4.7.
- LiteSpeed WHM Plugin in all versions before 5.3.1.0.
Per the NVD description, operators can check for exploitation activity with: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. No output means no observed exploitation; any output should be reviewed for unfamiliar source IPs and correlated against system logs to assess damage.
Patch Status
LiteSpeed has released fixed versions. The vendor-recommended minimum version is LiteSpeed cPanel Plugin 2.4.7, and the WHM Plugin must be 5.3.1.0 or later. CISA's required action is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.