cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-clone.cgi (SEC-162).

cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).

cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Permissions interface (SEC-159).

cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232).

cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error (SEC-229).

cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228).

cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227).

cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226).

cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224).

cPanel before 62.0.17 allows code execution in the context of the root account via a long DocumentRoot path (SEC-225).

cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).

cPanel before 62.0.17 allows arbitrary code execution during automatic SSL installation (SEC-221).

cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).

cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219).

cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218).

cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface (SEC-217).

In cPanel before 62.0.17, addon domain conversion did not require a package for resellers (SEC-208).

cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262).

cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260).

cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).