A critical privilege escalation bug in LiteSpeed's user-end cPanel plugin — now confirmed as actively exploited in the wild — can hand any ordinary hosting account unrestricted root access to the server it sits on.
Tracked as CVE-2026-48172 and carrying a perfect CVSS score of 10.0, the flaw stems from an incorrect privilege assignment that allows an attacker to run arbitrary scripts with elevated permissions.
That threat model is what makes this one particularly uncomfortable for shared hosting providers. Because exploitation only requires access to a valid cPanel user account, a malicious tenant or an already-compromised shared hosting account can pivot to a full server takeover.
In practice, that means a successful PHP exploit against any website on a server could chain straight into root, through a plugin most administrators probably never thought twice about.
What's Actually Broken
The issue is related to the mishandling of the Redis enable/disable features inside the plugin. The vulnerability resides in the lsws.redisAble function exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges. Redis (an in-memory data store commonly used for caching) is a standard component on many cPanel servers, making this attack surface widely accessible.
Importantly, LiteSpeed's WHM (Web Host Manager) plugin, used by server administrators, is not affected. The vulnerable component is the tenant-facing, user-end plugin only.
Security researcher David Strydom reported the flaw to LiteSpeed on May 19, 2026. Following the initial report, LiteSpeed and the cPanel/WebPros team initiated an urgent response cycle.
cPanel's emergency patch, released 12 hours ahead of schedule, included an automated fix that uninstalls the plugin entirely. That's an unusually aggressive response — but given active exploitation was already underway, removing the code entirely was the fastest available defense.
A Pattern Worth Noticing
This is the third cPanel emergency security release in just over three weeks. April 28 brought CVE-2026-41940, an authentication bypass actively exploited as a zero-day since February. May 13 brought a planned but substantial patch covering five additional CVEs.
And May 19 brings the LiteSpeed plugin emergency, plus two additional cPanel security issues. The earlier CVE-2026-41940 (CVSS 9.8) was exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry.
For any hosting business running cPanel, monthly patching cycles no longer cut it.
What You Need to Do
All versions of the LiteSpeed user-end plugin between v2.3 and v2.4.4 are at risk. The recommended action is to upgrade to LiteSpeed WHM Plugin v5.3.1.0, which bundles cPanel plugin v2.4.7 and includes both the original fix and patches from a broader security review LiteSpeed conducted after the initial disclosure.
If an immediate upgrade isn't possible, uninstall the vulnerable plugin using:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
To check whether your server has already been hit, run:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
No output means you're clean. Any output warrants an immediate review of the flagged IP addresses and system logs to assess the extent of access.
If you're a managed hosting provider, assume your customers haven't patched themselves — push the update at the infrastructure level and verify.