Cyber Resilience

CVE-2026-47365

Critical

Published: 12 June 2026

Published
12 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0041 32.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-47365 is a critical-severity Argument Injection (CWE-88) vulnerability in Cpanel (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Argument injection (CWE-88) directly enables arbitrary wp-toolkit CLI command execution on a Linux-based cPanel system, mapping to Unix Shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Cpanel
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References