CVE-2026-29205
WebPros · cPanel / WP Squared
An unauthenticated path traversal vulnerability in cPanel and WP Squared allows attackers to read arbitrary files on the server via the cpdavd attachment download endpoints.
Executive summary
An unauthenticated arbitrary file read vulnerability in cPanel and WP Squared poses a critical risk to server confidentiality and system integrity.
Vulnerability
This is an improper privilege management and path traversal vulnerability residing in the cpdavd attachment download functionality. The vulnerability is exploitable by unauthenticated remote attackers.
Business impact
The ability for an unauthenticated attacker to read arbitrary files on the server can lead to the exposure of sensitive configuration files, credentials, and system data. Given the CVSS score of 8.6, this vulnerability represents a significant risk of full system compromise, potentially leading to unauthorized access to hosted websites and databases.
Remediation
Immediate Action: Update cPanel and WP Squared to the patched versions specified in the official vendor advisory immediately.
Proactive Monitoring: Monitor server access logs for anomalous requests to the cpdavd service, particularly those containing directory traversal patterns (e.g., ../).
Compensating Controls: Ensure that the cpdavd service is not exposed to the public internet where possible, and utilize a Web Application Firewall (WAF) to block requests containing path traversal sequences.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability is highly critical due to the lack of authentication required for exploitation. Administrators must prioritize patching these systems immediately to prevent unauthorized file access that could serve as a precursor to full server compromise.