LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root

A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions. "Any cPanel user (including an attacker or a compromised account) may

The reported issue is a critical incorrect privilege assignment vulnerability (CVE-2026-48172, CVSS 10.0) in the LiteSpeed User-End cPanel Plugin versions 2.3–2.4.4 that allows any authenticated cPanel user, including compromised accounts, to abuse the lsws.redisAble function to execute arbitrary scripts as root, and it is confirmed to be exploited in the wild.[2][3][4] The LiteSpeed WHM plugin itself is not directly vulnerable, but affected user-end plugin versions are widely deployed in shared hosting environments, and patches are available starting from cPanel plugin v2.4.5 and fully bundled in WHM 5.3.1.0 / cPanel plugin v2.4.7.[2][3][4][5] From a CyberSE.AI perspective, this type of hosting-panel privilege escalation is an AI supply chain risk because compromised cPanel accounts or servers can be leveraged to hijack AI applications, alter model-serving code or endpoints, and exfiltrate configuration, API keys, or model artifacts hosted on the same infrastructure. Organizations running AI workloads on shared or managed hosting should ensure LiteSpeed components are inventoried in their SBOM, patched to fixed versions, and that logs are reviewed for `cpanel_jsonapi_func=redisAbl