High

Symlink handling vulnerability in LiteSpeed cPanel plugin on CloudLinux/CageFS shared hosting

IdentifiersCVE-2026-54420CWE-61· UNIX Symbolic Link (Symlink)…

CVE-2026-54420 affects the LiteSpeed cPanel plugin before 2.4.8, including LiteSpeed WHM PlugIn before 5.3.2.0 as distributed with the vulnerable plugin. The issue is described as improper handling of symlinks supplied by a user who already has FTP access or web shell access on a shared hosting server running CloudLinux/CageFS. Based on the provided classification as CWE-61, the flaw involves incorrect restriction or resolution of symbolic links in a shared-hosting context, creating a path by which a low-privileged tenant can abuse symlink behavior across isolation boundaries. The vulnerability was reported as exploited in the wild in May 2026.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a low-privileged user on a shared hosting server to leverage crafted symlinks to access or affect resources outside the intended account boundary. The provided CVSS vector (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates high impact to confidentiality, integrity, and availability, with scope change. In practical terms, this may enable cross-account access to sensitive data, unauthorized modification of files or application content, and disruption of hosted services on the same shared server, depending on server configuration and reachable targets.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting untrusted tenant ability to create or leverage symlinks, investigating and removing web shells, and tightening monitoring around shared-hosting accounts with FTP or shell-derived file write capability. Increase auditing for suspicious symlink creation and cross-account file access attempts on CloudLinux/CageFS shared servers. Because the issue specifically involves users who already possess FTP or web shell access, limiting those footholds and isolating compromised accounts can reduce exploitability until upgrades are completed.

Remediation

Patch, then assume compromise.

Upgrade the LiteSpeed cPanel plugin to version 2.4.8 or later. Where the plugin is deployed via LiteSpeed WHM PlugIn, upgrade LiteSpeed WHM PlugIn to version 5.3.2.0 or later so that the fixed plugin version is installed. Validate after upgrade that all affected shared-hosting nodes running CloudLinux/CageFS have received the updated package and that no older plugin copies remain deployed.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 14, 2026

CVE-2026-54420 - LiteSpeed cPanel Plugin Symlink Privilege Escalation

A symlink-handling vulnerability in the LiteSpeed cPanel plugin that can be exploited by a user with FTP or web shell access on shared hosting servers running CloudLinux/CageFS. The content states it was exploited in the wild in May 2026.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-54420

NVD

nvd.nist.gov/vuln/detail/CVE-2026-54420

MITRE CWE · CWE-61

UNIX Symbolic Link (Symlink) Following

blog.litespeedtech.com

blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2

litespeedtech.com

litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel