Actively exploited in the wild
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
LiteSpeed — cPanel Plugin · Listed in the CISA KEV since 2026-06-15. This indicates confirmed attacks in production environments.
Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CVE-2026-54420
HighCVSS 8.5KEVExploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
LiteSpeed cPanel plugin before version 2.4.8 mishandles symlinks provided by users with FTP or web shell access on shared hosting servers running CloudLinux/CageFS.
Risk Assessment
This vulnerability may lead to unauthorized access to the file system, posing a risk to data security on the server.
Recommendation
It is recommended to update the LiteSpeed cPanel plugin to version 2.4.8 or later to mitigate the risks associated with this vulnerability.
Original NVD description (English source)
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

