CVE-2026-48172
Published May 21, 2026
Last updated 18 days ago
AI description
CVE-2026-48172 is a privilege escalation vulnerability found in the LiteSpeed User-End cPanel Plugin, affecting versions between 2.3 and 2.4.4. This flaw stems from an incorrect privilege assignment and a logic error within the plugin's `lsws.redisAble` JSON-API endpoint. The vulnerability allows any authenticated cPanel user, including those with low privileges or compromised accounts, to execute arbitrary scripts with root permissions, potentially leading to full server control. This vulnerability has been actively exploited in the wild. A patch was released in version 2.4.5 of the LiteSpeed User-End cPanel Plugin, with further updates in version 2.4.7, which is bundled with WHM plugin version 5.3.1.0. Detection of potential exploitation can be performed by searching cPanel logs for the string "cpanel_jsonapi_func=redisAble".
- Description
- LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.
- Source
- cve@mitre.org
- NVD status
- Analyzed
- Products
- litespeed_cpanel_plugin, litespeed_whm_plugin
CVSS 4.0
- Type
- Secondary
- Base score
- 10
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- LiteSpeed cPanel Plugin Privilege Escalation Vulnerability
- Exploit added on
- May 26, 2026
- Exploit action due
- May 29, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- cve@mitre.org
- CWE-266
- Hype score
- Not currently trending
00:00 UTC: CVE-2026-48172 disclosed. CISA: CVE-2026-48172 added to Known Exploited Vulnerabilities — LiteSpeed cPanel Plugin Status: ✅ Confirmed exploited in the wild Date added: 2026-05-26 Required action: Apply mitigations per vendor instructions, follow applicable…
@lyrie_ai
10 Jun 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-48172: CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Escalation 0day Intel: CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Es
@lyrie_ai
7 Jun 2026
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-48172: Root Privilege Escalation in LiteSpeed cPanel Plugin A critical vulnerability, identified as CVE-2026-48172, affects the LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4. #cve #cve202648172 #litespeed https://t.co/1YLG0hbeoe https://t.co/6Jyv2dNLdH
@LowEndNetwork
29 May 2026
227 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
LiteSpeed cPanel プラグインのゼロデイ CVE-2026-48172 が FIX:サーバ root 権限奪取の恐れ https://t.co/H9UWwQPZfX 今回の脆弱性 CVE-2026-48172 の原因は、プラグインのエンドポイントに存在する、プログラムのロジックの欠陥
@iototsecnews
29 May 2026
82 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
おはモー🐮 【期限当日】LiteSpeed cPanel CVE-2026-48172、CISA KEV対処期限が今日5/29モー🐮 しかも StarletteのBadHost(CVE-2026-48710)も新たに来たモー… 今日の朝5分で: ✅ cPanelパッチ適用状況の最終確認 ✅ FastAPI/vLLM
@accell_mo_kun
28 May 2026
77 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
CISA: Patch LiteSpeed cPanel Plugin Zero-Day CVE-2026-48172 Now https://t.co/MAkhuMQ7R4
@seanwalker64354
28 May 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Legacy exposure keeps paying off for attackers. CVE-2026-48172 puts LiteSpeed cPanel deployments on a KEV… CVE-2026-48172 is an actively exploited LiteSpeed user-end cPanel plugin flaw that can lead… 🔗 Read → https://t.co/T4rk9zzH6q
@fynn_JourX
28 May 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛑 CVE-2026-48172 puts LiteSpeed cPanel deployments on a KEV deadline CVE-2026-48172 is an actively exploited LiteSpeed user-end cPanel plugin flaw that can lead… 🔗 Details → https://t.co/YbwYtwDxBE
@lucasverdan
27 May 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
For defenders, cve-2026-48172 puts litespeed cpanel deployments on a kev deadl… should move fast. CVE-2026-48172 is an actively exploited LiteSpeed user-end cPanel plugin flaw that can lead… 🔗 Details → https://t.co/P6vLbHHhvH
@SocXAInvaders
27 May 2026
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2026-45659 2 - CVE-2026-5426 3 - CVE-2026-48172 4 - CVE-2024-12802 5 - CVE-2026-8945 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
27 May 2026
99 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🔗 Read more: 🏛️ CISA Adds LiteSpeed cPanel Plugin Privilege Escalation Vulnerability 📝 CISA adds CVE-2026-48172 to KEV Catalog, affecting federal agencies. https://t.co/xRgMR33Mqp 📰 Alerts #GovSec #CVE
@Bug_X_hunter
27 May 2026
88 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔴 أي مستخدم في بيئة استضافة مشتركة يُشغّل أوامر بصلاحيات الجذر — ثغرة مستغلة فعلياً. المعرّف : CVE-2026-48172 درجة الخطورة : 10.0 (CVSS) — Critical المنتج : LiteSpeed cPanel Plugi
@KasperskyDev
26 May 2026
118 Impressions
1 Retweet
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-48172 (CVSS 10.0): Critical LiteSpeed cPanel Plugin flaw under active exploitation. Any cPanel user can run scripts as root via the lsws.redisAble function. Affects v2.3-2.4.4 — patch to 2.4.5+ now. #InfoSec #CVE #Cybersecurity
@infrasecserv
26 May 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Two CVSS 9.8+ cPanel exploits. Same month. Both in the wild. CVE-2026-41940: any user → admin. CVE-2026-48172 (CVSS 10.0): Redis toggle → root. Shared hosting's trust model: paper wall. 🎧 https://t.co/tgr316e8ez #cPanel #InfoSec
@ZeroDay_Brief
25 May 2026
6 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2026-48172: LiteSpeed User-End cPanel Plugin is actively exploited. Impact: cPanel users may execute arbitrary scripts as root. ✅ Upgrade to LiteSpeed WHM Plugin 5.3.1.0 / cPanel plugin 2.4.7+ https://t.co/W2lKdMTS1R #LiteSpeed #cPanel #CVE #CyberSecurity #Vulert
@vulert_official
25 May 2026
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/503dimGNTn #CyberSecurity #Vulnerabilities #CSCIS
@CIDC_Ops
25 May 2026
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
cPanelのLiteSpeed製プラグインにCVSS10.0の権限昇格脆弱性CVE-2026-48172が報告され、既に悪用が確認されています。任意のcPanelユーザー(侵害済みアカウント含む)がlsws[.]redisAble関数を通じてroot権限で任意スクリプ
@MalwareBibleJP
24 May 2026
1493 Impressions
1 Retweet
10 Likes
4 Bookmarks
0 Replies
0 Quotes
A LiteSpeed cPanel plugin privilege escalation flaw (CVE-2026-48172) allows attackers to run scripts as root. Active exploitation detected. https://t.co/EHKe7uAviz #LiteSpeed #cPanel #PrivilegeEscalation #CVE #CVSS10 #RootExploit #ActiveExploitation #WHM #DavidStrydom #InfoSec
@redsecuretech
24 May 2026
47 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/bzBaRnL5Sm
@PVynckier
24 May 2026
92 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A Single Function Call: How CVE-2026-48172 Hands Root to Any cPanel User LiteSpeed patched the flaw and assigned it CVE-2026-48172 with a score of 10.0, the maximum possible. By the time the fix shipped, attackers were already exploiting it in the wild. https://t.co/Z3ZMoy0ZKQ
@EnigmaGlobalSW
24 May 2026
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【LiteSpeed cPanel PluginのCVE-2026-48172が実悪用】 LiteSpeed User-End cPanel PluginのCVE-2026-48172について、実悪用が報告されています。 CVSS 10.0で、cPanelユーザーまたは侵害済みアカウントからroot権限で任意スクリプト実行
@01ra66it
23 May 2026
165 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Analyzing CVE-2026-48172: Root Access via the LiteSpeed cPanel Plugin https://t.co/K9nlC8oSz2
@pr0h0_me
23 May 2026
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-48172: Severe LiteSpeed cPanel Plugin Flaw Under Active Attack #cybersecurity #cyashadotcom #melody https://t.co/EYu1Oe7eRQ
@cyashadotcom
23 May 2026
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/BSIs1FRU1H
@VivekIntel
23 May 2026
191 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/pILuMwwE0C
@Dinosn
23 May 2026
1669 Impressions
0 Retweets
10 Likes
3 Bookmarks
0 Replies
0 Quotes
【サイバーセキュリティ動向分析】 トレンドのセキュリティニュース(2026年5月23日時点) Drupal Core SQL Injection脆弱性(CVE-2026-9082)が積極的に悪用中 https://t.co/hmqRlLQbNN https://t.co/RXW7NklWcL LiteSpeed cPanel Pluginの深
@kenebeii
23 May 2026
70 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root: A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score:… https://t.co/fK83yZhR0
@shah_sheikh
23 May 2026
73 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/DlDDNvXat2
@TheCyberSecHub
23 May 2026
541 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root https://t.co/oSl5NJ3QHq
@wvipersg
23 May 2026
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
NEW THREAT INTEL: LiteSpeed cPanel 0-Day CVE-2026-48172 -- CVSS 10.0 LPE actively exploited. 9 detections, 15 IOCs. https://t.co/vlDX5i6RxI #ThreatIntel #ZeroDay #CVE https://t.co/nJBInrCWUO
@threadlinqs
22 May 2026
76 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨*CVE* CVE-2026-48172 LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent p… https://t.co/UsgzXo0eCq ----- Traducción: CVE-2026-48172 Lit… https://t.co/utmtNg
@infoflowcloud
21 May 2026
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:litespeedtech:litespeed_cpanel_plugin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B64A4D51-C0C2-4925-A49C-97E7CD8CAABD",
"versionEndExcluding": "2.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:litespeedtech:litespeed_whm_plugin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6CBC6C6D-C562-4EB5-A2A0-BE07F716B8AF",
"versionEndExcluding": "5.3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]