LiteSpeed cPanel Plugin Symlink Flaw (CVE-2026-54420) Added to CISA KEV

"A symlink-following vulnerability in the LiteSpeed cPanel plugin lets a low-privileged user on shared CloudLinux/CageFS hosting escalate impact, and CISA confirms it has been exploited in the wild."

A symlink-following vulnerability in the LiteSpeed cPanel plugin lets a low-privileged user on shared CloudLinux/CageFS hosting escalate impact, and CISA confirms it has been exploited in the wild.

What Is It

CVE-2026-54420 is a UNIX symbolic link (symlink) following vulnerability (CWE-61) in the LiteSpeed cPanel plugin. The plugin mishandles symlinks supplied by a user who has FTP or web shell access on a shared hosting server running CloudLinux/CageFS. NVD rates it CVSS 3.1 base score 8.5 (HIGH), with vector AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, meaning low privileges are required, no user interaction is needed, and a successful attack crosses a scope boundary with high confidentiality, integrity, and availability impact.

Why It Matters

CISA added this CVE to its Known Exploited Vulnerabilities catalog on 2026-06-15, and the NVD record states it was exploited in the wild in May 2026. The changed scope (S:C) and high impact across all three categories reflect the risk of a single tenant on a shared host affecting resources beyond their own account. On multi-tenant CloudLinux/CageFS environments, that combination is the core concern.

What's Vulnerable

LiteSpeed cPanel plugin before version 2.4.8
LiteSpeed WHM PlugIn before version 5.3.2.0 (which distributes the cPanel plugin)

Exploitation specifically requires a shared hosting server running CloudLinux/CageFS, where an attacker already holds FTP or web shell access.

Patch Status

LiteSpeed addressed the issue in cPanel plugin 2.4.8 (WHM PlugIn 5.3.2.0); see the vendor security advisory. CISA's required action is to apply mitigations per vendor instructions in line with BOD 26-04 guidance and CISA's Forensics Triage Requirements, following applicable cloud-services guidance or discontinuing use if mitigations are unavailable. The KEV due date is 2026-06-18. Known ransomware campaign use is listed as Unknown.

Sources

CISA KEV Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-54420
NVD, CVE-2026-54420, https://nvd.nist.gov/vuln/detail/CVE-2026-54420
LiteSpeed Vendor Advisory; https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/
CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk