KEVIntel
PRO Back to KEVs
10.0
CVSS
Critical

CVE-2026-48172

PUBLISHED

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is...

1 day faster than CISA KEV

Exploited in the wild PoC available Remote Low complexity No user interaction
Vendor
LiteSpeed Technologies
Product
cPanel Plugin, WHM Plugin
Published
May 21, 2026
EPSS
8.0% · 92% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

redis cisa

Weaknesses (CWE)

  • CWE-266

    Incorrect Privilege Assignment

CVSS scores

CVSS v4.0 10.0 Critical

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2026-06-01 13:29:31 UTC · CVE

Proof of concept available

Recorded 2026-05-28 16:47:33 UTC · GitHub

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CVE First 2026-06-01 13:29 UTC
CISA 2026-06-02 14:00 UTC

Recent mentions

CISA Adds One Known Exploited Vulnerability to Catalog

All CISA Advisories · May 26, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2026-48172 LiteSpeed cPanel Plugin Privilege Escalation Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

fevar54/CVE-2026-48172---LiteSpeed-cPanel-Plugin-Version-Auditor

github · Created 2026-05-28 16:47:33 UTC · 0 stars

This script safely checks the local version of the LiteSpeed cPanel plugin to determine if the system is running a version vulnerable to CVE-2026-48172. It does not send exploits or interact with network endpoints maliciously.

HORKimhab/CVE-2026-48172

github · Created 2026-05-23 08:00:37 UTC · 1 stars

CVE-2026-48172

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel

  • KEV confirmed by CISA