Cyber Resilience

CVE-2026-54420

HighCISA KEVActive Exploitation

Published: 14 June 2026

Published
14 June 2026
Modified
17 June 2026
KEV Added
15 June 2026
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0126 66.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-54420 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Litespeedtech Litespeed Cpanel Plugin. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 34.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

LiteSpeed cPanel plugin before version 2.4.8, distributed as part of LiteSpeed WHM PlugIn before 5.3.2.0, contains a symlink mishandling flaw on shared hosting servers that use CloudLinux with CageFS. The issue, tracked as CWE-61, allows improper resolution of symbolic links supplied by authenticated users and carries a CVSS 3.1 score of 8.5 reflecting network attack vector, high complexity, low privileges, and changed scope with high impact on confidentiality, integrity, and availability.

An attacker who already possesses FTP or web shell access on the affected system can supply crafted symlinks that the plugin fails to contain within the expected CageFS jail. Successful exploitation grants the ability to read or modify files outside the user’s assigned home directory, potentially affecting other tenants or system components on the shared server.

Vendor guidance published on 1 June 2026 directs administrators to upgrade the LiteSpeed cPanel plugin to 2.4.8 or newer. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation in May 2026; the current EPSS score stands at 0.0061 with no reported material increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

CWE(s)
KEV Date Added
15 June 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Symlink escape from CageFS jail directly enables reading/modifying files outside assigned home directory (T1005) and discovery of files/directories beyond the restricted environment (T1083).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

litespeedtech
litespeed cpanel plugin
≤ 2.4.8
litespeedtech
litespeed whm plugin
≤ 5.3.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that the LiteSpeed plugin must restrict symlink resolution to the caller's CageFS jail, blocking escape to other tenants' files.

prevent

Requires explicit information-flow rules between isolated user domains so that user-supplied symlinks cannot traverse CageFS boundaries.

prevent

Mandates process isolation on shared hosts; the plugin must not be permitted to weaken the CageFS isolation boundary.

References