CVE-2026-29205

WebPros · cPanel / WP Squared

An unauthenticated path traversal vulnerability in cPanel and WP Squared allows attackers to read arbitrary files on the server via the cpdavd attachment download endpoints.

Executive summary

An unauthenticated arbitrary file read vulnerability in cPanel and WP Squared poses a critical risk to server confidentiality and system integrity.

Vulnerability

This is an improper privilege management and path traversal vulnerability residing in the cpdavd attachment download functionality. The vulnerability is exploitable by unauthenticated remote attackers.

Business impact

The ability for an unauthenticated attacker to read arbitrary files on the server can lead to the exposure of sensitive configuration files, credentials, and system data. Given the CVSS score of 8.6, this vulnerability represents a significant risk of full system compromise, potentially leading to unauthorized access to hosted websites and databases.

Remediation

Immediate Action: Update cPanel and WP Squared to the patched versions specified in the official vendor advisory immediately.

Proactive Monitoring: Monitor server access logs for anomalous requests to the cpdavd service, particularly those containing directory traversal patterns (e.g., ../).

Compensating Controls: Ensure that the cpdavd service is not exposed to the public internet where possible, and utilize a Web Application Firewall (WAF) to block requests containing path traversal sequences.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability is highly critical due to the lack of authentication required for exploitation. Administrators must prioritize patching these systems immediately to prevent unauthorized file access that could serve as a precursor to full server compromise.