Security Advisory - LiteSpeed Privilege Escalation Vulnerability CVE-2026-48172
Incident
Report for Liquid Web - Services
Resolved
Status Update
Our security and operations teams completed the assessment of our infrastructure, which forcd a upcp update today for all systems we were able to reach. We also reviewed environments for the indicators of compromise noted in the LiteSpeed article below. We will address any findings via a support ticket. We are resolving this incident at this time.
Customer Guidance
Customers are strongly encouraged to ensure they are running the updated version of the LiteSpeed plugin and to review their systems for the indicators of compromise. If our team does not have access to your system because it is unmanaged, self-managed, or access has been updated but not shared with Liquid Web, then we would not have been able to reach your system in order to apply updates or check for indicators of compromise.
If you have any questions or concerns, you can reach us through the following channels:
Live Chat via the Customer Portal: https://my.liquidweb.com
Email: support@liquidweb.com
Our security and operations teams completed the assessment of our infrastructure, which forcd a upcp update today for all systems we were able to reach. We also reviewed environments for the indicators of compromise noted in the LiteSpeed article below. We will address any findings via a support ticket. We are resolving this incident at this time.
Customer Guidance
Customers are strongly encouraged to ensure they are running the updated version of the LiteSpeed plugin and to review their systems for the indicators of compromise. If our team does not have access to your system because it is unmanaged, self-managed, or access has been updated but not shared with Liquid Web, then we would not have been able to reach your system in order to apply updates or check for indicators of compromise.
If you have any questions or concerns, you can reach us through the following channels:
Live Chat via the Customer Portal: https://my.liquidweb.com
Email: support@liquidweb.com
Identified
A recently disclosed vulnerability (CVE-2026-48172) in the LiteSpeed user-end cPanel plugin allows an unprivileged user to escalate to root privileges in plugin versions between v2.3 and v2.4.4. This issue has been classified as high severity. Public reports suggest the vulnerability was being exploited in the wild in May 2026, and indicators of compromise have been published. On May 19th cPanel issued a separate update which disabled and removed the plugin. This vulnerability is patched in v2.4.7 of the user-end plugin and v5.3.1.0 of the WHM plugin (which bundles the user-end plugin).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-48172
https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/
https://support.cpanel.net/hc/en-us/articles/40599423437079-Security-LiteSpeed-plugin-automatically-removed-during-nightly-update-May-19-2026
Status
Our security and operations teams are completing an assessment of our infrastructure and will force a upcp update today for all systems we are able to reach. We plan to review for Indicators of Compromise following the updates.
Customer Guidance
Customers managing their own systems or using unmanaged services should ensure they have applied the latest security updates or have removed the plugin. Customers should also review their systems for indicators of compromise using the information provided in the LiteSpeed blog article.
Should you need any assistance or have any questions or concerns, you can reach us through the following channels:
Live Chat via the Customer Portal: https://my.liquidweb.com
Email: support@liquidweb.com
We will continue monitoring this vulnerability and will provide updates if new information becomes available.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-48172
https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/
https://support.cpanel.net/hc/en-us/articles/40599423437079-Security-LiteSpeed-plugin-automatically-removed-during-nightly-update-May-19-2026
Status
Our security and operations teams are completing an assessment of our infrastructure and will force a upcp update today for all systems we are able to reach. We plan to review for Indicators of Compromise following the updates.
Customer Guidance
Customers managing their own systems or using unmanaged services should ensure they have applied the latest security updates or have removed the plugin. Customers should also review their systems for indicators of compromise using the information provided in the LiteSpeed blog article.
Should you need any assistance or have any questions or concerns, you can reach us through the following channels:
Live Chat via the Customer Portal: https://my.liquidweb.com
Email: support@liquidweb.com
We will continue monitoring this vulnerability and will provide updates if new information becomes available.
This incident affected: CPanel.