CVE-2026-29204

CRITICAL NVD

CVSS Score 10

Severity CRITICAL

Published May 12, 2026

Vendor unknown

Description

Insufficient ownership checks in `clientarea.php` allow an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account.

References

https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204?token=_4RH-0s0febHsrNiC8GdPymsqg3_nSdT