Just days after patching the CVE-2026-41940 authentication bypass that compromised 44,000 servers, cPanel issued a second emergency patch addressing three new vulnerabilities. These CVEs—29201, 29202, and 29203—were discovered during a deeper code audit following the April ransomware attack that deployed a Go-based Linux encryptor called "Sorry."

Two of the three vulnerabilities carry CVSS scores of 8.8, placing them in the High severity tier. CVE-2026-29202 allows arbitrary Perl code execution by authenticated users, while CVE-2026-29203 enables privilege escalation through unsafe symlinks. The less critical CVE-2026-29201 still enables arbitrary file reads that could aid follow-up attacks.

The concentrated remediation cycle reflects a worrying trend where initial critical patches trigger the discovery of additional vulnerabilities. Web hosting administrators should run `/scripts/upcp` immediately to patch systems, treating potentially compromised servers with forensic investigation rather than simple patching.