CVE-2026-32993 | THREATINT

Description

Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

PUBLISHED Reserved 2026-03-17 | Published 2026-05-13 | Updated 2026-05-14 | Assigner hackerone

HIGH: 8.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Problem types

CWE-93 CRLF Injection

Product status

Default status

unaffected

11.132.0.0 (semver) before 11.132.0.32

affected

11.134.0.0 (semver) before 11.134.0.26

affected

11.136.0.0 (semver) before 11.136.0.10

affected

Default status

unaffected

11.132.1.0 (semver) before 11.136.1.12

affected

References

support.cpanel.net/...el-WHM-WP2-Security-Update-May-13-2026

cve.org (CVE-2026-32993)

nvd.nist.gov (CVE-2026-32993)

Download JSON