Key Takeaways
- CISA lists CVE 2026 48172 in the KEV catalog
- Vulnerability score reaches 9.8 with active exploitation confirmed
- Federal agencies given deadline of May 29 for remediation
- Prior flaw impacted 44000 cPanel servers within one month
A critical vulnerability affecting a LiteSpeed plugin used with cPanel has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency. The flaw, identified as CVE 2026 48172, carries a severity score of 9.8 and is being actively exploited.
Widespread Use Of LiteSpeed Raises Exposure Across Hosting Environments
The agency has instructed federal organizations to either apply patches or remove affected versions of the LiteSpeed plugin by May 29. LiteSpeed has advised users to update to the latest version of its cPanel plugin to address the issue.
Security professionals have raised concerns due to the extensive adoption of LiteSpeed across hosting environments. The web server has become one of the most widely used platforms, in part because it can read Apache configuration files without requiring major changes. This has allowed hosting providers to adopt it with minimal operational disruption.
The LiteSpeed plugin is commonly deployed in shared hosting environments, where a single server may support many websites. In such environments, a vulnerability that allows privilege escalation can affect multiple users at once.
The flaw enables an attacker with access to a compromised cPanel account to gain control over the entire server. This type of access can expose all hosted sites within the same environment, increasing the potential impact.
Repeated Vulnerabilities Highlight Risk In Shared Hosting Systems
Security experts have pointed to recent incidents within the same ecosystem. A separate vulnerability, identified as CVE 2026 41940, affected approximately 44000 cPanel servers less than a month earlier. That flaw was used to deploy malware and ransomware across hosting systems.
The recurrence of critical vulnerabilities in systems using the LiteSpeed plugin has drawn attention to the risks associated with shared infrastructure. When multiple users rely on a single system, a single compromised account can lead to broader exposure.
Experts have also noted that the time between vulnerability disclosure and exploitation is decreasing. Advances in automation and artificial intelligence tools are enabling faster identification and use of security weaknesses.
In this case, the short remediation window reflects the urgency associated with active exploitation. Organizations that use the affected plugin are advised to apply updates immediately and verify whether their systems have been impacted.
At the same time, not all environments are affected. The risk depends on whether the vulnerable plugin is installed and accessible within a given hosting setup. Organizations are advised to first confirm their exposure before taking action.
The incident underscores the importance of monitoring software components that manage access within hosting systems. Vulnerabilities in such components can lead to broad system compromise when deployed across shared environments.
The addition of this flaw affecting the LiteSpeed plugin to the Known Exploited Vulnerabilities catalog highlights the continued focus on securing widely used infrastructure components.
