CRITICAL 4 min read 28 May 2026

LiteSpeed CVE-2026-48172 - Active Exploitation Pushes cPanel Plugin Checks to the Top

LiteSpeed User-End cPanel Plugin CVE-2026-48172 leads today's intelligence because today's evidence records active exploitation and a fixed version, 2.4.5. Three CISA KEV updates also widen the day's work across developer endpoints, npm packages and Windows utilities.

Key findings
01
Finding: LiteSpeed User-End cPanel Plugin CVE-2026-48172 active exploitation
MEDIUM
[Medium] The 02:34 UTC evidence review identifies CVE-2026-48172 as the only new active-exploitation item in today's run. The affected component is LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4, with version 2.4.5 identified as the update target.
CVE-2026-48172
02
Finding: UPDATE: DAEMON Tools Lite CVE-2026-8398 enters CISA KEV
HIGH
[High] Previously tracked; today's delta is CISA KEV addition on 2026-05-27 with a 2026-05-30 due date. The source matrix cites NVD affected-version context for Windows versions 12.5.0.2421 through 12.5.0.2434 distributed from the legitimate vendor site.
CVE-2026-8398
03
Finding: UPDATE: Nx Console CVE-2026-48027 enters CISA KEV
HIGH
[High] Previously tracked; today's delta is CISA KEV addition on 2026-05-27. The source matrix cites NVD identifying malicious Nx Console version 18.95.0, briefly exposed through Visual Studio Marketplace and OpenVSX.
CVE-2026-48027
04
Finding: UPDATE: TanStack CVE-2026-45321 enters CISA KEV
HIGH
[High] Previously tracked; today's delta is CISA KEV addition on 2026-05-27. The source matrix states that NVD records 84 malicious versions across 42 @tanstack/* packages.
CVE-2026-45321
05
Finding: Yamcs CVE-2026-46562 and CVE-2026-46621 RCE paths [UNCONFIRMED, single-source]
LOW
[Low] The 02:34 UTC evidence review records two GitHub advisory items for Yamcs before fixed build 5.12.7. CVE-2026-46562 concerns mission database algorithm override paths that can lead to remote code execution. CVE-2026-46621 concerns authenticated Jython algorithm injection.
CVE-2026-46562
06
Finding: Kata runtime-rs CVE-2026-47243 virtiofs guest escape [UNCONFIRMED, single-source]
LOW
[Low] A GitHub advisory records a Kata Containers runtime-rs and virtiofs deployment issue where guest-root can cross to host-root. That matters most in multi-tenant, sandboxed or confidential-container contexts.
CVE-2026-47243
07
Finding: FUXA CVE-2026-47717 unauthenticated project/config/script disclosure [UNCONFIRMED, single-source]
CRITICAL
[Low] The advisory evidence records that FUXA before 1.3.1 exposes server-side scripts and device configurations without authentication. Because FUXA sits near industrial and HMI-style monitoring, exposed project data can reveal device topology and control logic.
CVE-2026-47717
08
Finding: compliance-trestle CVE-2026-45725 arbitrary file write [UNCONFIRMED, single-source]
LOW
[Low] The advisory evidence records that compliance-trestle remote fetching and cache path traversal can allow arbitrary file write. Compliance automation often runs near evidence, policy artefacts and CI/CD workflows, so file-write paths deserve owner routing.
CVE-2026-45725
09
Finding: Pimcore CVE-2026-45704 and CVE-2026-45703 access-control issues [UNCONFIRMED, single-source]
LOW
[Low] The advisory evidence records two Pimcore GitHub advisory items: a CustomReports share bypass before 12.3.6 and a WordExport authorisation bypass before 12.3.7. Pimcore can hold commerce, product and content data, so report and export controls need verification.
CVE-2026-45704
10
Finding: Watchlist items deliberately held back
MEDIUM
[Medium] TrapDoor, malicious Claude-dir npm reporting, SymJack and X-only ransomware victim claims are not findings in this bundle. The available evidence keeps them in watchlist handling because the collected sweeps lack stable advisory identifiers, victim statements, regulator filings, IOC sets or Tier-0 corroboration.

LiteSpeed CVE-2026-48172 - Active Exploitation Pushes cPanel Plugin Checks to the Top

Finding: LiteSpeed User-End cPanel Plugin CVE-2026-48172 active exploitation

Confidence: Medium

The 02:34 UTC evidence review identifies CVE-2026-48172 as the only new active-exploitation item in today's run. The affected component is LiteSpeed User-End cPanel Plugin versions 2.3 through 2.4.4, with version 2.4.5 identified as the update target.

This is a hosting and MSP problem before it is a generic CVE problem. A vulnerable cPanel plugin on shared or managed hosting can put many customer sites behind one control-plane decision. The immediate task is to identify installs, prove version 2.4.5 or later, and review shared-hosting servers for suspicious privilege-escalation activity.

Finding: UPDATE: DAEMON Tools Lite CVE-2026-8398 enters CISA KEV

Confidence: High

Previously tracked; today's delta is CISA KEV addition on 2026-05-27 with a 2026-05-30 due date. The source matrix cites NVD affected-version context for Windows versions 12.5.0.2421 through 12.5.0.2434 distributed from the legitimate vendor site.

Security teams should inventory DAEMON Tools Lite on managed Windows endpoints, remove or update affected versions, and inspect installations sourced during the affected window. This is endpoint hygiene with incident-review consequences, not a server-only patch task.

Finding: UPDATE: Nx Console CVE-2026-48027 enters CISA KEV

Confidence: High

Previously tracked; today's delta is CISA KEV addition on 2026-05-27. The source matrix cites NVD identifying malicious Nx Console version 18.95.0, briefly exposed through Visual Studio Marketplace and OpenVSX.

The risk sits inside developer tooling. Audit IDE extension inventories for Nx Console 18.95.0, remove the extension where present, rotate developer tokens if exposure is confirmed, and check developer workstations rather than relying only on server vulnerability scanners.

Finding: UPDATE: TanStack CVE-2026-45321 enters CISA KEV

Confidence: High

Previously tracked; today's delta is CISA KEV addition on 2026-05-27. The source matrix states that NVD records 84 malicious versions across 42 @tanstack/ packages.

Review npm lockfiles, build caches and artefact stores for affected @tanstack/ versions. If compromised packages entered developer or CI environments, rebuild from clean dependencies and rotate tokens tied to those environments.

Finding: Yamcs CVE-2026-46562 and CVE-2026-46621 RCE paths [UNCONFIRMED, single-source]

Confidence: Low/Unverified

The 02:34 UTC evidence review records two GitHub advisory items for Yamcs before fixed build 5.12.7. CVE-2026-46562 concerns mission database algorithm override paths that can lead to remote code execution. CVE-2026-46621 concerns authenticated Jython algorithm injection.

Treat these as patch-routing prompts for environments that actually run Yamcs. Update to the fixed 5.12.7 build where present, restrict algorithm authoring and approval, and review privileged project-import workflows.

Finding: Kata runtime-rs CVE-2026-47243 virtiofs guest escape [UNCONFIRMED, single-source]

Confidence: Low/Unverified

A GitHub advisory records a Kata Containers runtime-rs and virtiofs deployment issue where guest-root can cross to host-root. That matters most in multi-tenant, sandboxed or confidential-container contexts.

Inventory runtime-rs and virtiofs usage, apply the advisory mitigation or patch, and prioritise workloads where a guest boundary is part of the security model.

Finding: FUXA CVE-2026-47717 unauthenticated project/config/script disclosure [UNCONFIRMED, single-source]

Confidence: Low/Unverified

The advisory evidence records that FUXA before 1.3.1 exposes server-side scripts and device configurations without authentication. Because FUXA sits near industrial and HMI-style monitoring, exposed project data can reveal device topology and control logic.

Update FUXA to 1.3.1 or later. Also review internet-exposed instances for unauthenticated access to project, configuration and script data.

Finding: compliance-trestle CVE-2026-45725 arbitrary file write [UNCONFIRMED, single-source]

Confidence: Low/Unverified

The advisory evidence records that compliance-trestle remote fetching and cache path traversal can allow arbitrary file write. Compliance automation often runs near evidence, policy artefacts and CI/CD workflows, so file-write paths deserve owner routing.

Update compliance-trestle to 4.0.3 and restrict untrusted remote fetches in compliance automation pipelines.

Finding: Pimcore CVE-2026-45704 and CVE-2026-45703 access-control issues [UNCONFIRMED, single-source]

Confidence: Low/Unverified

The advisory evidence records two Pimcore GitHub advisory items: a CustomReports share bypass before 12.3.6 and a WordExport authorisation bypass before 12.3.7. Pimcore can hold commerce, product and content data, so report and export controls need verification.

Update Pimcore to at least 12.3.6 where CustomReports is used and 12.3.7 where WordExport is enabled. Review shared report access and export permissions after patching.

Finding: Watchlist items deliberately held back

Confidence: Medium

TrapDoor, malicious Claude-dir npm reporting, SymJack and X-only ransomware victim claims are not findings in this bundle. The available evidence keeps them in watchlist handling because the collected sweeps lack stable advisory identifiers, victim statements, regulator filings, IOC sets or Tier-0 corroboration.

That restraint keeps the client action list focused on assets that can be located, patched, hunted or reviewed now.

Why This Matters

Today's work crosses asset classes that many organisations do not inventory well: cPanel plugins, IDE extensions, npm packages, Windows endpoint utilities, container runtimes, HMI-adjacent software, compliance tooling and CMS modules. The key question is not only whether a CVE exists. It is whether the affected component is present, exposed, fixed and covered by evidence after remediation.

  • Recommended Actions
  • Verify LiteSpeed User-End cPanel Plugin version 2.4.5 or later across hosting and MSP fleets, then review vulnerable hosts for privilege-escalation indicators.
  • Audit developer endpoints and CI environments for Nx Console 18.95.0 and affected @tanstack/* versions; rotate credentials where exposure is confirmed.
  • Inventory DAEMON Tools Lite on managed Windows endpoints and remove or update affected 12.5.0.2421 through 12.5.0.2434 versions.
  • Patch Yamcs, Kata runtime-rs/virtiofs, FUXA, compliance-trestle and Pimcore where present, with priority for internet-facing, multi-tenant, regulated, OT/HMI or mission environments.
  • Keep watchlist-only stories out of client findings until future sweeps provide strict material-update proof.

All findings grounded in a13e intelligence sweeps through 04:55 UTC 28 May 2026.

cpanelcve-2026-45321cve-2026-45704cve-2026-45725cve-2026-46562cve-2026-47243cve-2026-47717cve-2026-48027cve-2026-48172cve-2026-8398

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed