This isn’t related to the vulnerabilities. They’re actively patching them, which while a bit exhausting to have to keep up with a new update everyday, I appreciate that they’re keeping it secure, especially after the first one that took down many servers (that many providers like Bluehost / HostGator haven’t restored)

But that aside, I truly just wonder what is going to happen with cPanel? We’re in the day and age where cPanel’s name has been tarnished due to their price structure change and constant increases, every single year since.

At this point, cPanel really just makes no sense to use and it’s not really in demand by people anymore. I remember I used to specifically want a host with cPanel. Now barely any major company uses it since cPanel getting greedy just made companies develop their own control panel or seek alternatives.

I just really wonder what the end goal is now? They just keep increasing pricing until no one’s left? They’re just hoping companies like Bluehost / HostGator are too lazy to migrate away and solely rely on their millions per month in cPanel fees?

I know this has all been said before probably but it’s just mind blowing that they don’t seem to want anyone to provide or use cPanel anymore. It’s no longer the industry standard, due to their own doing.

This thread spawned off from an internal cross-team discussion (well argument LOL) regarding the excess work that cPanel has caused us to have to monitor and verify.

As many people have noted, cPanel has been releasing updates at a rapid pace lately. Over the past month, I’ve spent a significant amount of time updating cPanel and the other operating systems I manage. At times, it has felt overwhelming.

Given how quickly these patches are being released, I know I’m not the only one feeling overwhelmed. Many of the smaller tech groups I work with have discussed this at length.

That said, it’s important to step back and look at the bigger picture.

Recently, there has been a surge in bugs. People using current tools are finding issues faster than teams like ours can address them.

Even with the high volume of patches, I’m actually relieved that the cPanel team is releasing them as soon as critical vulnerabilities are identified.

In the past couple of weeks, I’ve watched my SIEM shift from bright red to yellow and back again several times.

Our team manages several different operating systems, and patching for some of them appears to lag behind cPanel.

With that in mind, I want to thank the cPanel patch team for working hard to keep these critical issues addressed and up to date.

Love this or hate this, their patch frequence lately is saving some of us.

It is past the time, and it is unclear what the target version is supposed to be.

I am poking at things while waiting, trying to figure out the best way to just do this update as soon as it is available, and this should do it from cron, without affecting server load.

*/5 * * * * /scripts/is_update_available  && /scripts/upcp --cron > /dev/null

What is cPanel?

cPanel is the most widely used Linux hosting control panel. It provides a graphical interface that allows users to manage websites, email, databases, DNS records, and security settings without using the command line.

It works alongside WHM (WebHost Manager), which gives server administrators the ability to create hosting accounts, manage resources, and configure server-wide settings.

The architecture is split into two layers:

• WHM – server administration
• cPanel – end-user website management

Key Features of cPanel

• One-click installers via Softaculous
• Email hosting with Exim
• Database management using phpMyAdmin
• DNS management via BIND
• File management and FTP access
• Automatic SSL installation with Let’s Encrypt

Most shared hosting providers, such as HostGator, Bluehost, and Namecheap, rely heavily on cPanel because of its familiarity among users.

What Is Plesk?

Plesk is another major hosting control panel designed to manage servers, applications, and websites through a unified interface.

Unlike cPanel, Plesk supports both Linux and Windows servers, which makes it a common choice for businesses running Microsoft Windows Server infrastructure.

It also integrates tightly with developer workflows and DevOps automation tools.

Key Features of Plesk

• Built-in support for Docker
• Native Git deployment
• WordPress management toolkit
• Integration with Node.js, Ruby, and PHP
• Security monitoring with Fail2Ban
• Centralized server and domain management

Plesk is owned by WebPros, the same company that now owns cPanel.

cPanel vs Plesk: Core Differences

Here are some of the key differences between cPanel and Plesk.

cPanel vs Plesk: Operating System Support

This is the biggest structural difference.

cPanel

• Supports only Linux
• Typically installed on distributions like AlmaLinux, Rocky Linux, or CloudLinux

Plesk

• Supports Linux + Windows
• Commonly used on Ubuntu, Debian, and Windows Server

If your infrastructure requires ASP.NET or MSSQL, Plesk is essentially the only option.

cPanel vs Plesk: User Interface and Workflow

cPanel Interface

cPanel separates server administration from user management.

Structure:

• WHM → server admin
• cPanel → end users

This layered architecture is preferred by reseller hosting providers and shared hosting platforms.

Plesk Interface

Plesk uses a single unified dashboard where admins, resellers, and users operate with different permission levels.

This approach is simpler for:

• agencies
• developers
• small infrastructure teams

cPanel vs Plesk: Developer Tools and Automation

Modern hosting environments increasingly rely on automation.

Here, Plesk has an edge.

Plesk DevOps Integrations

Native support includes:

• Docker
• Git
• Composer
• Node.js

This makes Plesk more suitable for CI/CD workflows and containerized applications.

cPanel Ecosystem

cPanel relies more on plugins.

Popular integrations include:

• Softaculous
• CloudLinux
• LiteSpeed Web Server

The ecosystem is massive because cPanel has been dominant for over two decades.

cPanel vs Plesk: WordPress Management

Both control panels offer strong support for WordPress, but they approach it differently.

cPanel

WordPress installation typically happens through:

• Softaculous
• Installatron

These are third-party plugins.

Plesk

Plesk includes a native WordPress Toolkit with features like:

• mass updates
• staging environments
• Security hardening
• cloning sites

For agencies managing dozens of WordPress sites, this toolkit can be extremely efficient.

cPanel vs Plesk: Security Architecture

Security tooling is available in both panels, but implementation differs.

cPanel Security Stack

Common components of cPanel security include:

• Imunify360
• ModSecurity
• cPHulk

Plesk Security Stack

Built-in security tools include:

• Fail2Ban
• ModSecurity
• Let’s Encrypt SSL automation

Plesk’s dashboard also centralizes security alerts, which some admins find easier to monitor.

cPanel vs Plesk: Pricing Structure

Both control panels moved to account-based licensing models in recent years.

cPanel

Licensing depends on the number of hosting accounts per server.

This can increase costs significantly for shared hosting providers.

Plesk

Licenses are based on:

• number of domains
• edition tier

For VPS environments with fewer domains, Plesk can sometimes be cheaper.

cPanel vs Plesk: When to Choose Which?

When You Should Choose cPanel

Choose **cPanel if you:

• run Linux-only hosting infrastructure
• operate a shared hosting or reseller hosting business
• want the most widely supported control panel
• Relies on a large plugin ecosystem

Many hosting companies standardize on cPanel because it reduces user training and support requests.

When You Should Choose Plesk

Choose **Plesk if you:

• Run Windows Server hosting
• deploy containerized applications
• manage multiple WordPress installations
• need Git-based deployment workflows

It is particularly popular among web agencies and development teams.

cPanel vs Plesk: Final Verdict

Both cPanel and Plesk are powerful hosting management platforms, but they target slightly different audiences.

• cPanel dominates Linux shared hosting and reseller ecosystems.
• Plesk shines in developer workflows, WordPress management, and Windows hosting.

If you’re launching a hosting business or running Linux servers, cPanel remains the safest and most widely supported choice. But if your infrastructure involves DevOps pipelines, Docker containers, or Windows servers, Plesk offers a more modern and flexible platform.

cPanel vs Plesk? Which one would you choose and why? Share it with us in the comments section below.

These new patches came out 2 hours ago:

https://support.cpanel.net/hc/en-us/sections/360007088193-Security

I assume they are not the same ones that are scheduled for tomorrow morning, right?

From Litespeed's Slack channel:

[URGENT — Security Advisory]

A privilege-escalation vulnerability has been identified in the LiteSpeed
User-End cPanel Plugin. This issue is being actively exploited in the wild.

Affected: LiteSpeed User-End cPanel Plugin
Not affected: LiteSpeed WHM Plugin (the parent plugin)
Status: Fix in progress. This advisory will be updated when a patched
version is released.

ACTION REQUIRED (immediately):

Remove the LiteSpeed User-End cPanel Plugin and disable its auto-install.
Either method below is sufficient:

Option A — WHM UI
In the LiteSpeed WHM plugin, click the user-end plugin's "Disable" /
"Uninstall" button, then turn "Auto Install" OFF.

Option B — Command line (as root)
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --autoinstall 0

After running these steps, the user-end plugin will no longer be present
on existing accounts and will not be re-installed on new ones.

We will follow up as soon as the patched version is available. Please
contact LiteSpeed support if you need assistance.

Email received a few minutes ago:

We are writing to let you know that a cPanel & WHM security patch is expected to be released on Wednesday, May 20 at 8am EST.

 

This release addresses vulnerabilities across versions of cPanel & WHM, including fixes for the several vulnerabilities rated up to High severity.

 

All vulnerabilities were either responsibly disclosed by external researchers or identified internally by our security team. At this time, there are no known exploits or proof-of-concept code in the wild. To help protect customers prior to patch availability, technical details about vulnerabilities will be released alongside the patches.

 

Patch & Affected Versions

The patch will be available on Wednesday, May 20 at 8am EST and will be distributed through the standard cPanel automatic update process and through the manual update process. We strongly recommend performing a manual update once the patch is made available.

 

Versions Impacted:
86, 94, 102, 110, 110 (CL6), 118, 124, 126, 130, 132, 134, 136, 136 (WP2)

 

Prepare Now

• Identify affected servers. Review your servers on the affected versions above.
• Check the update configuration. For servers where automatic updates are disabled or version-pinned, review /etc/cpupdate.conf now so there are no delays when the patch lands.
• Brief your team. If your environment requires a maintenance window, notify the relevant people so they are ready to act.
• Manual update. To update impacted servers before an automatic update is triggered, run /scripts/upcp once the patch is made available.
• Note for CloudLinux 6 users. Before manually updating, set the update tier to the cl6110 branch
• Watch for a follow-up email with exact patched versions and a link to all technical details in the support article.

We will follow up the moment the patch is live with full details and remediation steps.

After nearly 2 decades of cPanel usage for my servers, time to say goodbye.

What used to be a simple, affordable control panel has turned into a licensing headache, especially with the constant price hikes that bring absolutely no real value in return.

Instead, the “value” seems to be constant vulnerabilities and security issues that either barely get communicated, get quietly patched with little transparency, or leave hosts/admins scrambling to update before problems spread.

No software is perfect, obviously. Every panel has bugs. But cPanel increasingly feels bloated, with enterprise pricing without enterprise-level transparency or innovation.

Meanwhile, alternatives have become genuinely viable products that move faster, cost less, use fewer resources, and actually get the job done.

At this point, I feel cPanel survives mostly because people are used to it, clients recognize the name, and migrations can be annoying.

But once the price-to-convenience ratio disappears, combined with the constant issues and security vulnerabilities, the “industry standard” label starts to mean a whole lot less.

I have officially transferred off my last cpanel server as of tonight.

Do better cpanel.

Edit:
A lot of people are wondering where I moved to.
Almost all of my own personal sites are just bare metal now without control panel. This was the last one I did last night.

For one of my servers though I used DirectAdmin. It isn't as "feature rich" but it uses less resources for the same job. Transfering cPanel accounts over to direct admin was also stupidly easy.

Then for my clients I have both enhance, and direct admin depending on the server and clients.

Most clients don't actually use control panels often, so there didn't seem to be to much friction with the change.

>To help protect customers prior to patch availability, technical details about vulnerabilities will be released alongside the patches.

Why alongside? Why not just patch us? Who ever doesn't get patched in time is exposed to the issue when you release it?

We recently put together a WHMCS addon:

"Pre-made WHMCS knowledgebase for cPanel"
150 comprehensive articles on cPanel, WordPress, FTP, and Softaculous designed specifically for your end-users

And wanted some honest feedback on pricing
We were thinking around $32

It includes: One SQL File, Image Folder, Installation Guide

cPanel Tutorials (82 Articles)
Managing email accounts. Setting up domains and subdomains. Creating backups and restoring data. Cron job automation. Using the File Manager and databases, and more

WordPress Tutorials (21 Articles)
Installing and configuring WordPress. Adding themes and essential plugins. Managing media libraries. Securing WordPress sites against threats, Navigating the WordPress dashboard, and more

Softaculous Auto Installer (22 Articles)
Installing WordPress, Joomla, Magento, and over 380 other applications. Creating and restoring backups. Managing installed applications. Managing app updates . Using Softaculous WordPress Manager, and more

FTP Guide (25 Articles)
How to set up popular FTP clients like Cyberduck and Commander One. Creating and managing FTP accounts within cPanel. Secure file transfers between computers and servers, and more

We have our complete Knowledgebase here
That you can see all the articles and images

What would you realistically expect to pay for something like this?
Appreciate any honest input 👍

Just received this..

We are writing to let you know that a cPanel & WHM security patch is expected to be released on Wednesday, May 13, 2026 at 1:00pm EST.

This release addresses multiple vulnerabilities across versions of cPanel & WHM, including fixes for the following vulnerabilities rated up to High severity.

• CVE-2026-29205
• CVE-2026-29206 
• CVE-2026-32991 
• CVE-2026-32992 
• CVE-2026-32993

 

All vulnerabilities were either responsibly disclosed by external researchers or identified internally by our security team. At this time, there are no known exploits or proof-of-concept code in the wild. To help protect customers prior to patch availability, technical details about vulnerabilities will be released alongside the patches.

 

Patch & Affected Versions

 

The patch will be available on May 13 at 1:00pm EST and will be distributed through the standard cPanel automatic update process and through the manual update process. We strongly recommend performing a manual update once the patch is made available.

 

Versions Impacted: 

86, 94, 102, 110, 110 CL6, 118, 124, 126, 130, 132, 134, 136, 136 (WP2) 

 

Prepare Now

• Identify affected servers. Review your servers on the affected versions above.
• Check the update configuration.  For servers where automatic updates are disabled or version-pinned, review /etc/cpupdate.conf now so there are no delays when the patch lands.
• Brief your team.  If your environment requires a maintenance window, notify the relevant people so they are ready to act.
• Manual update. To update impacted servers before an automatic update is triggered, run /scripts/upcp once the patch is made available. 
• Note for CloudLinux 6 users. Before manually updating, set the update tier to the cl6110 branch
• Watch for a follow-up email with exact patched versions and a link to all technical details in the support article.

The industry is seeing a sustained rise in discovered vulnerabilities, and AI is accelerating the pace at which they are found and exploited. We are responding by strengthening how we identify, validate, and act on security reports. You will hear from us more frequently as our processes evolve. This is intentional. We believe clear, timely communication is part of how we keep you protected.

 

We will follow up the moment the patch is live with full details and remediation steps.

 

Please reach out to your account manager or our support team, if you have any questions or need further guidance. 

Thank you for your continued partnership.

 

Best regards,

Your cPanel Security Team

I popped the email ([Important] cPanel & WHM Targeted Follow-up Release May 14 EST: Updated Patch Now Live) from cpanel into claud as I didn't quite understand the version numbers referenced in it.

Claude threw a bit of a wobbly as the string WebPros-True-AI-Transformation-Means-Asking-Different-Questions-docx-05-14-2026_08_58_PM.png was in it, turns out the table of version numbers was actually an image and had that title. I guess someone just had the word doc open and knocked up a table quickly but it shows where the focus is at this time.

Is cPanel/WebPros just vibecoded now? Because I can do that myself without paying the ridiculous licencing fees.

Such a shame to see another decent product sell out and get destroyed by private equity.

As a one-man show, I'm still a bit frazzled over the 3 kernel and 4-5 cPanel exploits that have come out in the last 2 weeks. I'm still rebuilding from the first CP exploit where a couple of my servers got hit.

Due to the massive amount of work involved, I have gotten into a "trust the process" mindset to help cope. I've been setting up manual CP updates in a shell and letting them run, assuming all would be well and not looking too closely at the process.

BIG mistake. I happened to glance at one of my machines after the update completed and noticed that it FAILED due to previously failed and still pending transfers stuck in the system. (I have been in business as a cPanel partner for 23 years and some of my oldest accounts still have ancient baggage that doesn't transfer properly). Naturally, I went into WHM and attempted to abort the failed/pending ones. As a quick google search will show, this has seemingly NEVER worked in the history of cPanel. The system fails to void them. The manual CLI instructions provided by cPanel also fail to work. It can't even find the file cPanel is telling you to examine. Since these last few updates have been life and death issues for the servers, I had to manually hack a solution to get the updates to complete. THIS IS COMPLETELY UNACCEPTABLE, cPanel. Fix your broken shit. It's been decades!

If you are suffering from this same issue, here's how I fixed it. This probably breaks something, but it allows the update to complete. First, check the last update to see if it completed properly

tail /var/cpanel/updatelogs/last

If you see "100%" on the 3rd line and "Completed all updates" on the last one, you are probably good and you can go about your business. If it says anything about the update not completing because of failed transfers, you can try the factory recommendations, but don't hold your breath. They probably won't work for you either. Here's what I did. USE AT YOUR OWN RISK

cd /var/cpanel
mv /var/cpanel/update_blocks.config /var/cpanel/update_blocks.config.bak
mkdir temptransfers
cd transfer_sessions
mv * ../temptransfers

The obvious side effect of this is that it removes all historical transfers/restores from the "Review Transfers and Restores" window. I guess you can move everything back to where it was, but that's just going to mean that the next update will fail again. The trouble seems to be a bad entry in "whmxfer.sqlite", but that's not a DB than I'm fluent in, so I depend on cPanel to not screw things up. That trust is clearly misplaced.

It looks like upcp installed this last night which was unexpected.

Would that be anything to be concerned about?

I am receiving this notification on Cpanel updates, it appears that there are some issues with the cloudlinux repository?:

The system cannot check the kernel status: “/usr/bin/yum” reported error code “1” when it ended: HTTPSConnectionPool(host='repo.cloudlinux.com', port=443): Max retries exceeded with url: /cloudlinux/mirrorlists/cln-mirrors (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 101] Network is unreachable',))

>

Anyone running cPanel/WHM in a homelab, VPS, or self-hosted environment should probably patch soon. cPanel fixed multiple security vulnerabilities (on May 8) including denial-of-service related issues and other security risks that could impact exposed hosting panels (and one of them is cvss 9.8 and pretty easy to exploit). Since a lot of lab environments leave management panels internet-facing for convenience, this is one of those updates worth prioritizing.