TP-EXP-2026-0292 CVE-2026-48172 high Unknown AI Draft

LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172)

CVE CVE-2026-48172 Platform LiteSpeed cPanel Plugin Type Privilege Escalation

Severity HIGH

Status Unknown

Zero-Day Confirmed

Disclosed May 21, 2026

CISA KEV Listed

Severity Assessment

Exploitability: 6.9/10
Impact: 7.6/10
Weaponization Risk: 7.2/10
Patch Urgency: 8.5/10
Detection Coverage: 5.2/10

Summary

CVE-2026-48172 affects the LiteSpeed cPanel Plugin and is classified as a privilege-escalation issue. The CVE is tracked in multiple authoritative sources and is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming its exploitation significance.

Public records do not include deterministic patch-version scope or exploitation-chain details beyond the classification and listing references. The available sources identify the affected product, vulnerability class, and KEV listing without confirming additional exploit-chain specifics.

Exploit Chain

Stage 1: Exposure Exists in Scope of the Affected Plugin

The vulnerability is identified as affecting LiteSpeed cPanel Plugin, with public vulnerability records associating it with this product line.

Stage 2: Exploitation Opportunity is Reported via KEV Inclusion

CISA’s inclusion of the CVE in the KEV catalog indicates active exploitation concern and raises operational urgency for environments running the affected component.

Detection Guidance

Prioritize discovery of LiteSpeed cPanel Plugin deployments and validate exposure levels.
Confirm vendor patch guidance from the official LiteSpeed advisory before assuming remediation status.
Review management-plane and authentication activity for unusual privilege-use shifts during plugin operations.
Correlate access logs around administrative operations to spot abnormal command patterns after external management requests.
Validate alerting coverage for plugin-related privilege transitions and alert suppression gaps.
Restrict remote access paths to the plugin where possible until full patch validation is completed.

Indicators of Compromise

Host and Process Indicators

Unusual privilege changes on hosts where LiteSpeed cPanel Plugin management is enabled.
Abnormal plugin-related service restarts or config-update activity that follows external requests.

Logging Indicators

Repeated administrative actions from unexpected source addresses during non-maintenance windows.
Sudden increases in privileged operations tied to plugin management processes.

Disclosure Timeline

2026-05-21 — Disclosed in public sources

CVE-2026-48172 is identified for LiteSpeed cPanel Plugin with disclosure-associated context.

2026-05-26 — Added to KEV

CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog, increasing the urgency signal for remediation tracking.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-26
National Vulnerability Database: CVE-2026-48172 — National Vulnerability Database, 2026-05-21
LiteSpeed: Security Update for cPanel Plugin — LiteSpeed, 2026-05-21