CVE-2026-48172

Published May 21, 2026

Last updated 4 days ago

CVSS critical 10.0

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-48172 is a privilege escalation vulnerability found in the LiteSpeed User-End cPanel Plugin, affecting versions between 2.3 and 2.4.4. This flaw stems from an incorrect privilege assignment and a logic error within the plugin's `lsws.redisAble` JSON-API endpoint. The vulnerability allows any authenticated cPanel user, including those with low privileges or compromised accounts, to execute arbitrary scripts with root permissions, potentially leading to full server control. This vulnerability has been actively exploited in the wild. A patch was released in version 2.4.5 of the LiteSpeed User-End cPanel Plugin, with further updates in version 2.4.7, which is bundled with WHM plugin version 5.3.1.0. Detection of potential exploitation can be performed by searching cPanel logs for the string "cpanel_jsonapi_func=redisAble".

Description
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
Source
cve@mitre.org
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

Weaknesses

cve@mitre.org
CWE-266

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

4

  1. Two CVSS 9.8+ cPanel exploits. Same month. Both in the wild. CVE-2026-41940: any user → admin. CVE-2026-48172 (CVSS 10.0): Redis toggle → root. Shared hosting's trust model: paper wall. 🎧 https://t.co/tgr316e8ez #cPanel #InfoSec

    @ZeroDay_Brief

    25 May 2026

    4 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2026-48172: LiteSpeed User-End cPanel Plugin is actively exploited. Impact: cPanel users may execute arbitrary scripts as root. ✅ Upgrade to LiteSpeed WHM Plugin 5.3.1.0 / cPanel plugin 2.4.7+ https://t.co/W2lKdMTS1R #LiteSpeed #cPanel #CVE #CyberSecurity #Vulert

    @vulert_official

    25 May 2026

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/503dimGNTn #CyberSecurity #Vulnerabilities #CSCIS

    @CIDC_Ops

    25 May 2026

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. cPanelのLiteSpeed製プラグインにCVSS10.0の権限昇格脆弱性CVE-2026-48172が報告され、既に悪用が確認されています。任意のcPanelユーザー(侵害済みアカウント含む)がlsws[.]redisAble関数を通じてroot権限で任意スクリプ

    @MalwareBibleJP

    24 May 2026

    1493 Impressions

    1 Retweet

    10 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  5. A LiteSpeed cPanel plugin privilege escalation flaw (CVE-2026-48172) allows attackers to run scripts as root. Active exploitation detected. https://t.co/EHKe7uAviz #LiteSpeed #cPanel #PrivilegeEscalation #CVE #CVSS10 #RootExploit #ActiveExploitation #WHM #DavidStrydom #InfoSec

    @redsecuretech

    24 May 2026

    47 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/bzBaRnL5Sm

    @PVynckier

    24 May 2026

    92 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. A Single Function Call: How CVE-2026-48172 Hands Root to Any cPanel User LiteSpeed patched the flaw and assigned it CVE-2026-48172 with a score of 10.0, the maximum possible. By the time the fix shipped, attackers were already exploiting it in the wild. https://t.co/Z3ZMoy0ZKQ

    @EnigmaGlobalSW

    24 May 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 【LiteSpeed cPanel PluginのCVE-2026-48172が実悪用】 LiteSpeed User-End cPanel PluginのCVE-2026-48172について、実悪用が報告されています。 CVSS 10.0で、cPanelユーザーまたは侵害済みアカウントからroot権限で任意スクリプト実行

    @01ra66it

    23 May 2026

    165 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Analyzing CVE-2026-48172: Root Access via the LiteSpeed cPanel Plugin https://t.co/K9nlC8oSz2

    @pr0h0_me

    23 May 2026

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2026-48172: Severe LiteSpeed cPanel Plugin Flaw Under Active Attack #cybersecurity #cyashadotcom #melody https://t.co/EYu1Oe7eRQ

    @cyashadotcom

    23 May 2026

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/BSIs1FRU1H

    @VivekIntel

    23 May 2026

    191 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/pILuMwwE0C

    @Dinosn

    23 May 2026

    1669 Impressions

    0 Retweets

    10 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  13. 【サイバーセキュリティ動向分析】 トレンドのセキュリティニュース(2026年5月23日時点) Drupal Core SQL Injection脆弱性(CVE-2026-9082)が積極的に悪用中 https://t.co/hmqRlLQbNN https://t.co/RXW7NklWcL LiteSpeed cPanel Pluginの深

    @kenebeii

    23 May 2026

    70 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root: A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score:… https://t.co/fK83yZhR0

    @shah_sheikh

    23 May 2026

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/DlDDNvXat2

    @TheCyberSecHub

    23 May 2026

    541 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/oSl5NJ3QHq

    @wvipersg

    23 May 2026

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. NEW THREAT INTEL: LiteSpeed cPanel 0-Day CVE-2026-48172 -- CVSS 10.0 LPE actively exploited. 9 detections, 15 IOCs. https://t.co/vlDX5i6RxI #ThreatIntel #ZeroDay #CVE https://t.co/nJBInrCWUO

    @threadlinqs

    22 May 2026

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨*CVE* CVE-2026-48172 LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent p… https://t.co/UsgzXo0eCq ----- Traducción: CVE-2026-48172 Lit… https://t.co/utmtNg

    @infoflowcloud

    21 May 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.