Primary

Context

cPanel and WHM HTTP Header Injection Vulnerability in Nova Error Endpoint

Vulnerability

Patched

A vulnerability exists in cPanel & WHM versions 132 and higher, specifically within the WP Squared component. The issue arises from improper sanitization of the 'status' query parameter in the '/unprotected/nova_error' endpoint. This flaw allows unauthenticated attackers to inject arbitrary HTTP headers into the response.

Impact

Exploitation of this vulnerability could lead to the injection of malicious HTTP headers, potentially causing unexpected behavior in the application or client.

Remediation

Users can update to cPanel & WHM versions 11.132.0.32 and higher, 11.134.0.26 and higher, or 11.136.0.10 and higher. For WP Squared, version 11.136.1.12 and higher is recommended. After updating, verify the cPanel version to ensure the update was successful.

Added: May 13, 2026, 10:31 PM

Updated: May 13, 2026, 10:31 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

7.6

remediation

7.7

relevance

7.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.6

exploitability

7.6

remediation

7.7

relevance

7.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

cPanel and WHM HTTP Header Injection Vulnerability in Nova Error Endpoint

Vulnerability

Impact

Remediation

Affected Products

cPanel

cPanel WHM

cPanel WP Squared

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating