Executive Summary
CISA added CVE-2026-48172 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-26 with a 2026-05-29 remediation due date CISA KEV opens in a new tab. The vulnerability is a critical privilege escalation flaw in the LiteSpeed User-End cPanel Plugin: any cPanel user account can abuse lsws.redisAble to execute arbitrary scripts as root LiteSpeed opens in a new tab NVD opens in a new tab.
NVD now records the exact vendor advisory and release-log references, lists vulnerable LiteSpeed cPanel Plugin versions up to but excluding 2.4.7, and includes the vendor-recommended log sweep for cpanel_jsonapi_func=redisAble under /var/cpanel/logs and /usr/local/cpanel/logs NVD opens in a new tab. This post details the technical mechanics, impact boundaries, and an automated Python triage script to parse server logs for active exploitation traces.