The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. government agencies three days to secure their servers against an actively exploited vulnerability (CVE-2026-54420) in the LiteSpeed cPanel user-end plugin.
Tracked as CVE-2026-48172, this high-severity vulnerability was reported by Namecheap and allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.
This vulnerability affects all user-end plugin versions before 2.4.8 and stems from a 'UNIX symlink following' weakness.
LiteSpeed flagged it as actively exploited in early June and released urgent security updates, warning users to update the cPanel user-end plugin (bundled with the WHM plugin) to the latest version.
Users are advised to use the following command to check if their server is vulnerable to attacks targeting the CVE-2026-48172 vulnerability:
