CVE-2026-48172

Description

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

CVSS v3.1 Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS — Exploit Prediction

0.0796

Probability of exploitation

0.92%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild.

Added: May 26, 2026 Remediation due: May 29, 2026

Weakness Type (CWE)

CWE-266 CWE-266

Affected Products

Vendor	Product	Versions
litespeedtech	litespeed_cpanel_plugin	< 2.4.7
litespeedtech	litespeed_whm_plugin	< 5.3.1.0

References

Advisories & Patches

https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/

Other References

https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48172

Frequently Asked Questions

What is CVE-2026-48172? +

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7. It has a CVSS v3.1 base score of 9.8 (CRITICAL). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

How severe is CVE-2026-48172? +

CVE-2026-48172 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0796, placing it in the 1th percentile for exploitation probability.

What products are affected by CVE-2026-48172? +

CVE-2026-48172 affects products from litespeedtech, specifically: litespeed_cpanel_plugin, litespeed_whm_plugin. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-48172? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-56513

Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior …

CVE-2025-26523

This vulnerability exists in RupeeWeb trading platform due to insufficient authorization controls on certain API endpoints handling addition and deletion …

CVE-2025-0131

An incorrect privilege management vulnerability in the OPSWAT MetaDefender Endpoint Security SDK used by the Palo Alto Networks GlobalProtect™ app …

CVE-2025-48741

A Broken Access Control vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, and 5.4.0 before 5.4.10 allows remote, …

CVE-2025-4228

An incorrect privilege assignment vulnerability in Palo Alto Networks Cortex® XDR Broker VM allows an authenticated administrative user to execute …

CVE-2025-0139

An incorrect privilege assignment vulnerability in Palo Alto Networks Autonomous Digital Experience Manager allows a locally authenticated low privileged user …