CVE-2026-54420
Analyzed
Published: 14 Jun 2026, 03:23
Last modified:16 Jun 2026, 03:56
Vulnerability Summary
Overall Risk (default)
medium
34/100 CVSS Score
8.5 HIGH
v3.1 (cve.org)
EPSS Score
0.35% LOW
0% probability +0.29%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
14 Jun 2026, 03:23
Published
Vulnerability first disclosed
15 Jun 2026, 00:00
Added to CISA KEV
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
16 Jun 2026, 03:56
Last Modified
Vulnerability information updated
18 Jun 2026, 00:00
CISA Remediation Due
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Description
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
CVSS Metrics
- v3.1•HIGH•Score: 8.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.35%• Percentile: 26%
Techniques & Countermeasures
- CWE-61•UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Affected Systems
- litespeed technologies•cpanel plugin
≥ 2.3, < 2.4.8
- litespeedtech•litespeed_cpanel_plugin
< 2.4.8
- litespeedtech•litespeed_whm_plugin
< 5.3.2.0