Full Report
cPanel security advisory (AV26-499)
Analysis Summary
# Vulnerability: Critical Security Updates for cPanel & WHM and EasyApache4
## CVE Details
- **CVE ID:** CVE-2026-33278 (and others addressed in the EasyApache update)
- **CVSS Score:** Not explicitly listed in the advisory (Estimated High/Critical based on product impact)
- **CWE:** Not specified (Likely related to Improper Input Validation or Resource Management in cpanel-unbound)
## Affected Systems
- **Products:**
- cPanel & WebHost Manager (WHM)
- WP Squared
- EasyApache4
- **Versions:**
- cPanel & WHM version 11.126.0.63 and later
- cPanel & WHM version 11.134.0.30 and later
- cPanel & WHM version 11.136.0.14 and later
- WP Squared 11.138.1.1 and later
- EasyApache4 versions prior to v25.62
- **Configurations:** Systems utilizing `cpanel-unbound` for DNS resolution and servers running EasyApache4 managed environments.
## Vulnerability Description
While the advisory is concise, the primary flaw (CVE-2026-33278) involves a security issue within the `cpanel-unbound` component (version 1.25.1). Unbound is a validating, recursive, caching DNS resolver; vulnerabilities in this component typically involve Denial of Service (DoS) through resource exhaustion, cache poisoning, or potential buffer overflows when processing malicious DNS responses. The EasyApache4 update addresses several undisclosed security flaws within the software stack used to build and deploy web server environments.
## Exploitation
- **Status:** No reports of exploitation in the wild at the time of publication.
- **Complexity:** Medium (Requires DNS manipulation or specific network conditions).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Low to Medium
- **Integrity:** Medium (Potential for DNS spoofing/cache poisoning)
- **Availability:** High (Potential for service disruption of DNS resolution)
## Remediation
### Patches
Users are advised to upgrade to the following versions or newer:
- **cPanel & WHM:** Ensure the system is updated to the latest minor version within your release tier (Current, Edge, Release, or Stable).
- **EasyApache4:** All users must update to **v25.62** or higher.
- **WP Squared:** Update to **11.138.1.1** or later.
### Workarounds
No specific workarounds were provided. The vendor recommends automated updates to ensure all security binaries are replaced.
## Detection
- **Indicators of Compromise:** Unexplained failures in DNS resolution, unusual traffic on port 53, or service crashes in the `cpanel-unbound` process.
- **Detection methods and tools:**
- Verify installed versions via command line: `/usr/local/cpanel/cpanel -V`
- Check EasyApache versioning via the WHM interface under "EasyApache 4".
## References
- **Vendor advisories:**
- hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40646746647703-Security-CVE-2026-33278-cpanel-unbound-1-25-1-Security-Release-May-21-2026
- hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40646970590999-Security-EasyApache4-v25-62-Security-Release-May-21-2026
- **General cPanel Security Hub:** hxxps[://]support[.]cpanel[.]net/hc/en-us/sections/360007088193-Security