LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root

Source: The Hacker News — 23 May 2026

What we are tracking

A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions. "Any cPanel user (including an attacker or a compromised account) may

RingSafe analysis

India’s shared-hosting market — BigRock, Hostinger, MilesWeb, ZNetLive, Bluehost India — runs heavily on cPanel layered over LiteSpeed Web Server. Any tenant sitting on an unpatched node has a trivial root-escalation path, which means a single compromised cPanel account on a shared box can pivot laterally to every other tenant on that server. Indian SMBs, e-commerce shops, and WordPress agencies on shared LiteSpeed hosting should confirm with their host this week that the LiteSpeed User-End cPanel Plugin has been patched, and treat any hosting provider that cannot answer within 48 hours as a migration trigger. Map to MITRE ATT&CK T1068 (Exploitation for Privilege Escalation) and T1078.003 (Local Accounts). Under DPDP Section 8, a data fiduciary whose tenant is exfiltrated via lateral movement from a neighbour is still on the hook for the 72-hour breach-notification window — the hosting boundary is not a regulatory boundary.

Read the original report

LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root → at The Hacker News