CVE-2026-32993

Description

Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Affected products

WebPros / cPanel11.132.0.0 – 11.132.0.32
WebPros / cPanel11.134.0.0 – 11.134.0.26
WebPros / cPanel11.136.0.0 – 11.136.0.10
WebPros / WP Squared11.132.1.0 – 11.136.1.12

References

MISChttps://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026