criticalCISA KEVCVE-2026-54420

LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability

LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.

ProductcPanel Plugin
CVSS8.5
EPSS0.01261
UpdatedJuly 9, 2026

Quick answer

LiteSpeed cPanel Plugin should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

The LiteSpeed cPanel Plugin is affected by a symlink-following issue on shared hosting systems, especially where CloudLinux or CageFS is in use. Apply the LiteSpeed plugin security update and review shared-hosting boundaries for bypass or file access abuse. Because cPanel plugins run close to hosting control-plane data, credential and file integrity review is required.

  1. Inventory all WHM and cPanel servers with the LiteSpeed cPanel Plugin installed.
  2. Upgrade the plugin to the fixed LiteSpeed release referenced in the security update.
  3. Review CloudLinux, CageFS, jailed shell, FTP, and web shell access policies for shared-hosting users.
  4. Restrict WHM and cPanel administration to trusted networks and MFA-protected administrator accounts.
  5. Inspect symlinks, user-owned web roots, temporary directories, plugin files, WHM hooks, and cron jobs for suspicious access paths.
  6. Rotate WHM root, reseller, API token, SSH, and hosting automation credentials if cross-account access is suspected.
  7. Rebuild plugin packages from trusted vendor sources and restart affected web and control-panel services after patching.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the installed LiteSpeed cPanel Plugin version matches the fixed vendor release.
  • Validate CloudLinux and CageFS isolation still prevents cross-account file access.
  • Review cPanel, FTP, web server, and WHM logs for symlink abuse or unexpected file reads.
  • Test normal hosted-site and LiteSpeed cache workflows after remediation.
  • Run a Fixnx scan on hosted public domains and confirm no control-panel exposure is visible.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-54420?

LiteSpeed cPanel Plugin should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.