Actively exploited

CVE-2026-54420: Actively Exploited Vulnerability

CVE-2026-54420 CVSS 8.5 CISA KEV · actively exploited
Who it affects
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.
What to do
Patch immediately — prioritise internet-facing systems.
Deploy the fix with Action1AutomoxManageEngine Patch Manager PlusManageEngine Endpoint Central Are you exposed? Compare patch tools →

CVE-2026-54420 is a high-severity vulnerability (CVSS 8.5), listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as actively exploited.

Summary

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

Remediation

It is actively exploited — apply the vendor’s patch immediately and prioritize internet-facing systems. Patch-management tools that can deploy and verify the fix include Action1, Automox, ManageEngine Patch Manager Plus, ManageEngine Endpoint Central. See our best patch management ranking.

Sources

Data as of June 16, 2026. Sources: nvd.nist.gov, blog.litespeedtech.com, litespeedtech.com, cisa.gov. Figures are pulled from public vendor and security data and refreshed automatically.