CISA adds LiteSpeed cPanel privilege escalation CVE to KEV catalog
Federal civilian agencies must patch CVE-2026-48172 by CISA's BOD 22-01 deadline; the specific due date is not published in the advisory.
TL;DR
CISA added CVE-2026-48172, a privilege escalation flaw in the LiteSpeed cPanel plugin, to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate by the catalog-listed due date under Binding Operational Directive 22-01. The advisory does not state the specific deadline. All organizations running LiteSpeed cPanel should treat this as priority patching regardless of BOD 22-01 applicability.
CISA added CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel plugin, to its Known Exploited Vulnerabilities (KEV) catalog on May 26, 2026. The addition is based on evidence of active exploitation in the wild.
Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are required to remediate every CVE in the KEV catalog by its listed due date. The specific remediation deadline for CVE-2026-48172 is not included in the advisory text; agencies should check the catalog directly for the applicable date. BOD 22-01 does not extend to state, local, or private-sector entities, but CISA's standard guidance urges all organizations to prioritize KEV entries in their vulnerability management programs.
Published ·Updated ·Deep Fathom