THREAT WATCH
Actively Exploited SonicWall SMA1000 Appliances: CVE-2026-15410 — SonicWall SMA1000 Appliances Code Injection Vulnerability High Microsoft Active Directory Federation Services: CVE-2026-56155 — Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability Medium Microsoft SharePoint Server: CVE-2026-56164 — Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability Actively Exploited SonicWall SMA1000 Appliances: CVE-2026-15409 — SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability Medium Cisco IOS: CVE-2008-4128 — Cisco IOS Cross-Site Request Forgery Vulnerability Critical Balbooa Forms: CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability Critical iCagenda iCagenda: CVE-2026-48939 — iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability Critical JoomShaper SP Page Builder: CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability Actively Exploited SonicWall SMA1000 Appliances: CVE-2026-15410 — SonicWall SMA1000 Appliances Code Injection Vulnerability High Microsoft Active Directory Federation Services: CVE-2026-56155 — Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability Medium Microsoft SharePoint Server: CVE-2026-56164 — Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability Actively Exploited SonicWall SMA1000 Appliances: CVE-2026-15409 — SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability Medium Cisco IOS: CVE-2008-4128 — Cisco IOS Cross-Site Request Forgery Vulnerability Critical Balbooa Forms: CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability Critical iCagenda iCagenda: CVE-2026-48939 — iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability Critical JoomShaper SP Page Builder: CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability

CVE-2026-54420 — LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability

Back to Threat Intel Dashboard
High CVSS 8.5 Actively exploited · CISA KEV

LiteSpeed cPanel Plugin

CVE-2026-54420 Added Jun 15, 2026 Remediation deadline has passed
TL;DR

LiteSpeed cPanel Plugin is affected by a high-severity vulnerability (CVE-2026-54420) that is confirmed to be actively exploited in the wild. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

What is this vulnerability?

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

How it works

This is classified as CWE-61. In plain terms, an attacker could use this flaw in cPanel Plugin to gain access, disrupt service, or steal data — the exact impact depends on how it’s deployed in your environment.

CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Required action

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Mitigations

  • Apply the vendor’s security patch or update as soon as it’s available and tested.
  • If no patch exists yet, apply the vendor’s temporary workaround.
  • Limit network exposure of the affected system until it’s patched.
  • Review logs for signs of prior exploitation, especially if it’s flagged for ransomware use.

Recommendations

  • Confirm whether LiteSpeed cPanel Plugin is used anywhere in your environment.
  • Patch internet-facing systems first, then internal ones.
  • Set a reminder ahead of the remediation deadline so it doesn’t slip.
  • Subscribe to the vendor’s security advisories for earlier warning next time.

Compiled from public threat intelligence (CISA Known Exploited Vulnerabilities catalog and the National Vulnerability Database, referenced in 3 public advisories).