Is CVE-2026-54420 exploitable?

Yes — CVE-2026-54420 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it is confirmed exploited in the wild.

Is CVE-2026-54420 a false positive?

No practitioners have marked CVE-2026-54420 a false positive so far (2 verdicts).

How do I remediate CVE-2026-54420?

Practitioners have shared remediation steps for CVE-2026-54420 — see the remediation notes on this page.

CVE-2026-54420

is CVE-2026-54420real, exploitable, or a false positive? Here's the community ground truth.

☆ Watch

High · CVSS 8.5EPSS 0.7%CISA KEVCWE-61

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

References

NVD MITRE CVE.org CISA KEV

Published Jun 14, 2026

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-54420/badge.svg)](https://www.truepositive.app/cve/CVE-2026-54420)

HTML

<a href="https://www.truepositive.app/cve/CVE-2026-54420"><img src="https://www.truepositive.app/cve/CVE-2026-54420/badge.svg" alt="TruePositive verdict for CVE-2026-54420"></a>

Live badge — updates automatically as the community verdict changes.

Community ground truth

Community verdict

2 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

Pick your verdict — we'll save it right after a quick sign-in.

Community real-world severity: High (High 2) — CVSS base score 8.5

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Waleed AzizCurated
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability — LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS. Listed in the CISA KEV catalog (added 2026-06-15) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~1%. Treat it as real and prioritize remediation over triage.
0
Remediation · Priya NairCurated
Required action for LiteSpeed cPanel Plugin: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. CISA set a federal remediation due date of 2026-06-18. After patching, verify the vulnerable path is no longer reachable before closing the finding.