CVE-2026-54420
Published: 14 June 2026
Summary
CVE-2026-54420 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Litespeedtech Litespeed Cpanel Plugin. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 34.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
LiteSpeed cPanel plugin before version 2.4.8, distributed as part of LiteSpeed WHM PlugIn before 5.3.2.0, contains a symlink mishandling flaw on shared hosting servers that use CloudLinux with CageFS. The issue, tracked as CWE-61, allows improper resolution of symbolic links supplied by authenticated users and carries a CVSS 3.1 score of 8.5 reflecting network attack vector, high complexity, low privileges, and changed scope with high impact on confidentiality, integrity, and availability.
An attacker who already possesses FTP or web shell access on the affected system can supply crafted symlinks that the plugin fails to contain within the expected CageFS jail. Successful exploitation grants the ability to read or modify files outside the user’s assigned home directory, potentially affecting other tenants or system components on the shared server.
Vendor guidance published on 1 June 2026 directs administrators to upgrade the LiteSpeed cPanel plugin to 2.4.8 or newer. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation in May 2026; the current EPSS score stands at 0.0061 with no reported material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-36657
Vulnerability details
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
- CWE(s)
- KEV Date Added
- 15 June 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Symlink escape from CageFS jail directly enables reading/modifying files outside assigned home directory (T1005) and discovery of files/directories beyond the restricted environment (T1083).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces that the LiteSpeed plugin must restrict symlink resolution to the caller's CageFS jail, blocking escape to other tenants' files.
Requires explicit information-flow rules between isolated user domains so that user-supplied symlinks cannot traverse CageFS boundaries.
Mandates process isolation on shared hosts; the plugin must not be permitted to weaken the CageFS isolation boundary.