Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-48172 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-48172 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-48172 is a privilege escalation vulnerability in the LiteSpeed cPanel Plugin, specifically exposed through the user-facing cPanel plugin interface.

Technical Detail

The flaw allows any authenticated cPanel user account, regardless of privilege level, to abuse the LiteSpeed cPanel Plugin to execute arbitrary scripts with root privileges on the underlying system. The vulnerability exists because the plugin does not enforce adequate privilege separation or input validation when processing user-initiated actions, allowing a low-privileged user to escalate to root. Successful exploitation results in full system compromise of the hosting server, potentially affecting all accounts and data hosted on that system.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on May 26, 2026. The exploit maturity is rated Operational, meaning functional exploit code exists and is being used in real-world attacks. This is not a theoretical or proof-of-concept risk; attackers are actively leveraging this vulnerability against production systems.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability based on currently available data.

What To Do

Under CISA's Known Exploited Vulnerabilities Binding Operational Directive (BOD 22-01), federal agencies are required to patch this vulnerability or apply mitigations by the deadline associated with the May 26, 2026 KEV listing. All organizations running the LiteSpeed cPanel Plugin should treat this as a critical priority patch regardless of sector. Apply the latest available update from LiteSpeed for the cPanel Plugin immediately. If a patch is not yet available or cannot be applied immediately, consider disabling the LiteSpeed cPanel Plugin for end users until remediation is complete, and restrict cPanel user access to the minimum necessary. Review server logs for unexpected script execution events running under root context, and audit any recent privilege changes or unauthorized account activity on affected hosting systems.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →