What is CVE-2026-32993?

CVE-2026-32993 is a high-severity vulnerability in Webpros Cpanel, classified under CRLF Injection. CVSS score: 8.3/10. Published 2026-05-13.

How severe is CVE-2026-32993?

High severity. CVSS v3 base score is 8.3 out of 10.

Vulnerability in Webpros Cpanel

CVE-2026-32993

Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

Vulnerability class: CRLF Injection

EPSS: 0.000 (8.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L.

Affected products

Webpros Cpanel — versions 11.132.0.0, 11.134.0.0, 11.136.0.0
Webpros Wp Squared — versions 11.132.1.0

Weakness classification (CWE)

CWE-93 — CRLF Injection

References

support@hackerone.com

Frequently asked questions

What is CVE-2026-32993?: CVE-2026-32993 is a high-severity vulnerability in Webpros Cpanel, classified under CRLF Injection. CVSS score: 8.3/10. Published 2026-05-13.
How severe is CVE-2026-32993?: High severity. CVSS v3 base score is 8.3 out of 10.