CVE-2026-32993

WebPros · cPanel and WP Squared

Improper sanitization of the `status` query parameter in the /unprotected/nova_error endpoint allows unauthenticated attackers to perform CRLF injection.

Executive summary

An unauthenticated CRLF injection vulnerability in cPanel and WP Squared enables attackers to inject arbitrary HTTP headers into server responses, facilitating cache poisoning and cross-site scripting.

Vulnerability

The vulnerability is a CRLF injection (CWE-93) located in the status parameter of the /unprotected/nova_error endpoint. Because the endpoint does not require authentication, an attacker can manipulate HTTP responses to facilitate various web-based attacks.

Business impact

With a CVSS score of 8.3 (High), this vulnerability poses a significant risk to web infrastructure. CRLF injection can lead to cache poisoning, session hijacking, or cross-site scripting (XSS), potentially impacting the integrity and security of the services managed by cPanel or WP Squared.

Remediation

Immediate Action: Update cPanel and WP Squared installations to the latest patched versions as detailed in the WebPros security advisory.

Proactive Monitoring: Monitor web server access logs for anomalous requests containing carriage return (%0D) or line feed (%0A) characters.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block requests containing CRLF sequences in the status query parameter of the affected endpoint.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Administrators must update their cPanel and WP Squared environments immediately to eliminate this injection vector. Given the ease of exploitation, testing and applying the security update should be prioritized to prevent potential web-based attacks.