Last updated: 21 May 2026
A serious privilege-escalation vulnerability has been identified in the LiteSpeed User-End cPanel Plugin. LiteSpeed has confirmed that this issue is being actively exploited in the wild.
This vulnerability is tracked as:
CVE-2026-48172
LiteSpeed has now released updated fixes following a full security review of both the LiteSpeed User-End cPanel Plugin and the bundled WHM Plugin.
All affected cPanel servers using LiteSpeed should be updated immediately.
Vulnerability Summary
The vulnerability affects the LiteSpeed User-End cPanel Plugin used on cPanel servers.
According to the LiteSpeed Team, any cPanel user, including an attacker using a compromised cPanel account, could exploit the lsws.redisAble function to execute arbitrary scripts as root.
This creates a critical privilege-escalation risk on affected servers and requires immediate action.
Additional Security Review Findings
In addition to CVE-2026-48172, LiteSpeed has also identified and addressed potential vulnerabilities discovered during a full security review of both:
- LiteSpeed User-End cPanel Plugin
- LiteSpeed WHM Plugin bundle
Because of this, customers should not only remove or disable the vulnerable User-End plugin, but should upgrade the LiteSpeed WHM Plugin package to the latest fixed release.
Affected Component
Affected:
- LiteSpeed User-End cPanel Plugin
Not directly affected by CVE-2026-48172:
- LiteSpeed WHM Plugin / parent LiteSpeed plugin itself
However, the fixed User-End cPanel Plugin is delivered through the updated LiteSpeed WHM Plugin package, and LiteSpeed has also released additional security fixes for the bundled WHM Plugin after its security review.
Fixed Version Available
LiteSpeed has released the fix in:
- LiteSpeed WHM Plugin v5.3.1.0 or higher
- Bundled with LiteSpeed cPanel Plugin v2.4.7 or higher
All affected servers should be upgraded to this version or later as soon as possible.
Recommended Action
EuroVPS strongly recommends that all customers running LiteSpeed on cPanel servers urgently upgrade to:
LiteSpeed WHM Plugin v5.3.1.0 or higher
This version includes the fixed LiteSpeed cPanel Plugin v2.4.7.
After upgrading, please confirm that both the LiteSpeed WHM Plugin and bundled cPanel plugin are updated to the fixed versions.
Alternative Action: Uninstall the Vulnerable User-End Plugin
If you cannot upgrade immediately, LiteSpeed recommends removing the vulnerable User-End cPanel Plugin.
Run the following command as root:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallThis removes the vulnerable User-End plugin from existing cPanel accounts and prevents it from being installed on new accounts.
This should only be treated as a temporary mitigation. The recommended action remains upgrading to the latest LiteSpeed WHM Plugin version.
How to Check If Your Server Was Exploited
To check whether there are signs of exploitation, run the following command as root:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullResult Interpretation
No output / no results
No matching exploitation attempt was found in the checked logs.
Please note that this check only searches for this specific known indicator. It should not be treated as a full compromise assessment.
Any output
The server may have been targeted or affected.
Please save the full output and contact LiteSpeed support or EuroVPS support immediately for further review.
EuroVPS Recommendation
EuroVPS strongly recommends taking immediate action on all cPanel servers using LiteSpeed.
Recommended steps:
- Upgrade to LiteSpeed WHM Plugin v5.3.1.0 or higher.
- Confirm the bundled LiteSpeed cPanel Plugin is updated to v2.4.7 or higher.
- Run the exploitation check command provided above.
- If immediate upgrade is not possible, uninstall the vulnerable User-End cPanel Plugin using the command provided above.
- Review server logs and user accounts for any suspicious activity if the verification command returns output.
Where EuroVPS has administrative access and the server is within managed support scope ( servers where the LiteSpeed license was purchased directly from EuroVPS), we are proactively applying the update, removing the vulnerable User-End plugin where required.
Customers managing their own servers, or customers who purchased their LiteSpeed license directly from the vendor, should apply the recommended action without delay.
Need Assistance?
If you require assistance with checking, upgrading, or reviewing your server, please open a support ticket with EuroVPS.
If the verification command returns any output, please include the full output in your support ticket so our team can review it properly.