LiteSpeed Blog / Products / LiteSpeed Web Server / Security Update for LiteSpeed cPanel Plugin

Security Update for LiteSpeed cPanel Plugin

June 1st, 2026 by LiteSpeed Web Server , Security 0 Comments

LiteSpeed cPanel Plugin Vulnerability

We have another urgent security update for LiteSpeed’s user-end plugin for cPanel.

Last night we were made aware of a vulnerability affecting our user-end cPanel plugin (LiteSpeed’s WHM plugin was not affected). We patched this vulnerability in v2.4.8.

Please update to the latest version of the cPanel user-end plugin, which is bundled with the WHM plugin..

This Privilege Escalation vulnerability, which was reported to us by the team at Namecheap, has been assigned CVE-2026-54420.

Impact

A vulnerability in the LiteSpeed cPanel plugin allows a user with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.

This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.

Use the following command to determine if your server has been affected:

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

If there is no output, then your server has not been affected.

If this command results in any output, the vulnerability may have been exploited on your server. There can be false positives, so look for the following to confirm:

  1. Pairing: generateEcCert immediately followed by packageUserSize for the same user (legitimate UI flows don’t chain these)
  2. Concurrency: 7–10 concurrent calls per attempt (legitimate UI does one at a time)
  3. Same source IP hammering both endpoints

To determine any damage done, examine the system logs for any actions taken by the detected IPs. If you need assistance, you may contact our support team.

Actions

We urgently recommend that those using the LiteSpeed user-end plugin for cPanel upgrade to LiteSpeed WHM Plugin v5.3.2.1 (bundled w/ cPanel plugin v2.4.8) or higher to patch this vulnerability.

To update the WHM plugin, run this command, which will also update the user-end plugin, if you currently have it installed:

wget -O- https://litespeedtech.com/packages/cpanel/lsws_whm_plugin_install.sh | sh

If you cannot upgrade at this time, you can use the following command to remove the user-end plugin and avoid this vulnerability:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

Once you’ve updated the WHM plugin, you can run the following commands, which will reinstall the user-end plugin and turn on autoinstall:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --install
/usr/local/lsws/admin/misc/lscmctl cpanelplugin -autoinstall 1

Timeline

  • May 31, 2026: We were alerted to the original issue.
  • May 31, 2026: cPanel pushed an uninstall command for the user-end plugin
  • Jun 1, 2026: We released cPanel plugin v2.4.8 and WHM plugin v5.3.2.1
  • Jun 1, 2026: We applied for a CVE
  • Jun 14, 2026: CVE-2026-54420 was assigned

Conclusion

We thank Namecheap for bringing the original issue to our attention. We’d also like to thank the cPanel team for their immediate action in preventing further exploitation on additional servers. The vulnerability has been patched, so if you are keeping your cPanel plugin up-to-date, there is nothing you need to do. If you have not updated in a while, please do so immediately.

Tags:
Categories:LiteSpeed Web Server , Security

Related Posts

Comments