CVE-2026-32993
WebPros · cPanel and WP Squared
Improper sanitization of the `status` query parameter in the /unprotected/nova_error endpoint allows unauthenticated attackers to perform CRLF injection.
Executive summary
An unauthenticated CRLF injection vulnerability in cPanel and WP Squared enables attackers to inject arbitrary HTTP headers into server responses, facilitating cache poisoning and cross-site scripting.
Vulnerability
The vulnerability is a CRLF injection (CWE-93) located in the status parameter of the /unprotected/nova_error endpoint. Because the endpoint does not require authentication, an attacker can manipulate HTTP responses to facilitate various web-based attacks.
Business impact
With a CVSS score of 8.3 (High), this vulnerability poses a significant risk to web infrastructure. CRLF injection can lead to cache poisoning, session hijacking, or cross-site scripting (XSS), potentially impacting the integrity and security of the services managed by cPanel or WP Squared.
Remediation
Immediate Action: Update cPanel and WP Squared installations to the latest patched versions as detailed in the WebPros security advisory.
Proactive Monitoring: Monitor web server access logs for anomalous requests containing carriage return (%0D) or line feed (%0A) characters.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to block requests containing CRLF sequences in the status query parameter of the affected endpoint.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Administrators must update their cPanel and WP Squared environments immediately to eliminate this injection vector. Given the ease of exploitation, testing and applying the security update should be prioritized to prevent potential web-based attacks.