1. cPanel & WHM Documentation
  2. Change Logs
  3. cPanel & WHM Change Log
  4. 134 Change Log

134 Change Log

Last modified: 2026 April 6

134.0.15

2026-04-06
  • Fixed CPANEL-50134: Allow Team user password invitation to work when the API log is enabled.
  • Fixed CPANEL-50423: Prevent team sub-account members from accessing WHMCS integration endpoints to block a privilege escalation path to WHM root.
  • Fixed CPANEL-50744: Fixed manage disk usage in Roundcube with sieve scripts present.
  • Fixed CPANEL-51415: Cleanup locale bits in cPStore Market Provider.
  • Fixed CPANEL-51591: Fix vacation autoresponse emails being bounced by providers like Gmail due to an empty envelope sender (-f <>) causing SPF/DKIM failures.
  • Fixed CPANEL-52185: The MultiPHP Manager outdated PHP banner now includes a description explaining that outdated PHP versions no longer receive security updates and recommends PHP ELS. The More Info link is positioned inline with the description instead of pushed to the far right.
  • Fixed CPANEL-52197: Fixed XSS vulnerability when using /viewer/ routes.
  • Fixed CPANEL-52263: Fix dynamicui key for ssl_tls_unified feature so the unified SSL/TLS entry does not collide with the legacy key.
  • Fixed CPANEL-52300: Only re-throw non-TimeoutError exceptions in updateLicense() so the timeout recovery path is able to run.
  • Fixed CPANEL-52327: Fix Apache rebuild warnings and repeated survey prompts caused by root’s scoped userdata directory.
  • Fixed CPANEL-52340: Update cpanel-roundcubemail to 1.6.15.
  • Fixed CPANEL-52358: Use system curl for CloudLinux 8, since CloudLinux removed ea-libcurl.
  • Fixed CPANEL-52361: Do not promote PHP ELS on servers that have an immunify360 license.
  • Fixed CPANEL-52412: Fix ‘Apply DMARC Policy’ so it no longer overwrites existing DMARC records, and ensure it uses the server’s configured default policy rather than the hardcoded fallback.
  • Fixed CPANEL-52428: Fix cPanel MultiPHP Manager failing to display installed PHP versions with an out of date ea-cpanel-tools package.

134.0.13

2026-03-30
  • Fixed CPANEL-43087: Removed use of cpanel side user cache files.
  • Fixed CPANEL-50847: Stop creating one-time Mailman backups.
  • Fixed CPANEL-51568: Add ARC signing to SRS forwarded SMTP messages.
  • Implemented CPANEL-51579: Make EOL and hardened PHP versions more visually apparent in EasyApache 4 and MultiPHP Manager output.
    • Label outdated and secured PHP versions in the MultiPHP Manager UI.
    • Redesign the PHP ELS installation progress indicator in MultiPHP Manager.
    • Add a WHM API endpoint to list sites using end-of-life PHP versions.
    • Add a PHP Status indicator to the WHM sidebar to highlight end-of-life and hardened PHP versions.
  • Implemented CPANEL-51589: Let’s Encrypt certificates may be obtained from TLS wizard even if cPanel Store is disabled.
  • Fixed CPANEL-51678: Fix FileManager upload popup incorrectly tracking anonymous Mixpanel events regardless of user analytics consent settings.
  • Fixed CPANEL-51680: Use less alarming warning text for SSL certificates that are expiring soon but will be auto-renewed.
  • Fixed CPANEL-51680: Fix false-alarm SSL expiry warnings for AutoSSL-managed domains.
  • Fixed CPANEL-51765: PHP versions older than the system-configured minimum are now labeled “Outdated” in the MultiPHP Manager and EasyApache 4 CloudLinux interfaces, replacing the previous “Deprecated” label.
  • Fixed CPANEL-51959: Fix styling of the Cancel button in the outdated PHP version confirmation dialog on the WHM MultiPHP Manager page.
  • Fixed CPANEL-52006: Update PHP to 8.4.19.
  • Fixed CPANEL-52182: Update cpanel-geoipfree-data.
  • Fixed CPANEL-52224: CPAN updates, addressing CVE-2026-4177, CVE-2006-10002, CVE-2006-10003.
  • Implemented WPX-10026: Added the Stats::get_stats_daily UAPI method to retrieve daily AwStats data for a domain.

134.0.12

2026-03-23
  • Fixed CPANEL-51921: Upgrade Compress::Raw::Zlib to 2.220+ to address CVE-2026-3381.
    • The previous version bundled a vulnerable zlib version earlier than 1.3.2.
  • Fixed CPANEL-52097: Update cpanel-roundcubemail to 1.6.14.
    • Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler.
    • Fix password change without old password validation.
    • Fix IMAP Injection and CSRF bypass in mail search.
    • Fix remote image blocking bypass via SVG animate attributes and body background attribute.
    • Fix fixed position mitigation bypass via use of !important.
    • Fix XSS issue in HTML attachment preview.
    • Fix SSRF and Information Disclosure via stylesheet links to local network host.

134.0.11

2026-03-09
  • Fixed CPANEL-46546: Fix Ticket Assist firewall detection when Imunify360 creates /etc/csf without installing the CSF binary.
  • Fixed CPANEL-51652: Removes Site Publisher deprecation notices from cPanel tools page, and the notification UI in WHM and cPanel.
  • Fixed CPANEL-51833: Remove the Site Publisher link from the Domains additional resources panel.
  • Fixed CPANEL-51917: Upgrade Net::CIDR to 0.27 to address CVE-2021-4456.
  • Fixed CPANEL-51919: Upgrade Crypt::URandom for CVE-2026-2474.
  • Fixed DUCKS-4995: Improve required extension handling and warning messages in WHM package forms.
  • Implemented CPANEL-50221: Add frontend Mixpanel tracking for temporary-domain create and conversion flows in WHM and cPanel.
  • Implemented CPANEL-50464: Improve SSL/TLS Wizard usability: add search-clearing buttons in the simple and advanced views, fix the product search button icon behavior, and automatically focus the search input when domains are pre-selected at page load.
  • Implemented CPANEL-50826: Clear SSL/TLS Wizard search fields when the Escape key is pressed.
  • Implemented CPANEL-51430: Add automatic reissuance of short-lived (200-day) SSL certificates via the cPanel Store API.

134.0.10

2026-03-02
  • Fixed CPANEL-47555: MySQL and MariaDB upgrades now detect and automatically remove version locks when proceeding with the upgrade, preventing database service from being left in a non-functional state.
  • Fixed CPANEL-50847: Unprivileged users can access Mailman backups. Fix updates cpanel-mailman to 2.2.0.41-1.cp130 and restricts permissions on Mailman backup directory/files.
  • Implemented DUCKS-5070: Initial setup of cpanel-bannerx-plugin. Adds Imunify promotion banner to WHM Security Advisor and WHM Home Page. (cPanel Direct Promotion Only)
  • Implemented CPANEL-51581: Update cpanel-php84 to 8.4.18.

134.0.9

2026-02-23
  • Case SEC-67580: Fix cPanel File Download Endpoint IDOR Vulnerability.
    • CVSS Score: 6.5
    • CVSS 3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    • Reporter: Rhevin Fardhika
  • Fixed CPANEL-50825: Domain search has no message for an empty filtered list. Add an info alert banner for both the Simple and Advanced domain views.
  • Implemented CPANEL-50806: Add breadcrumb links to the combined SSL page’s tabs’ child pages.

134.0.8

2026-02-17
  • Improved CPANEL-47921: Added a new tweak setting to control web server log archive retention and a script to perform automated cleanup.
  • Improved CPANEL-47921: Added WHM API for managing web server log retention settings across accounts.
  • Improved CPANEL-47921: Added log retention controls to the Raw Access and Log Manager interfaces.
  • Improved CPANEL-47921: Added a WHM interface for managing web server log retention settings across cPanel accounts.
  • Fixed CPANEL-51630: Resolved 403 error accessing the analytics configuration page in WHM.

134.0.7

2026-02-16
  • Fixed CPANEL-43386: Transfer tool now automatically updates PHP handlers in .htaccess files to match the destination server's available handlers, preventing PHP configuration issues after transfers.
  • Fixed CPANEL-46584: Harden MySQL upgrade process by setting locale to C defensively.
  • Fixed CPANEL-47033: Fix MariaDB 10.11+ startup error caused by attempting to load the non-existent auth_socket.so plugin.
  • Fixed CPANEL-50213: Set autoexpunge rules for mailboxes in the config blocks which initially set them up instead of later in IMAP/POP settings.
  • Fixed CPANEL-50213: Fix maildirsize file not getting re-created if missing on IMAP login.
  • Fixed CPANEL-50935: The system now applies the Update DNS Zone setting when you use the Apply to Other Selected Accounts button in the Transfer Tool.
  • Implemented CPANEL-50997: Enable cPStore by default on fresh installations.
  • Fixed CPANEL-51092: Modify SpamAssassin to recognize different Exim behavior when using the “+all” log selector.
  • Fixed CPANEL-51274: Fix tool link issues on the Domains page.
  • Fixed CPANEL-51346: Fixed Whostmgr::Quota::setusersquota() condition that confused 0 with unlimited.
  • Fixed CPANEL-51510: Update cpanel-roundcubemail to 1.6.13. Fix CSS injection vulnerability reported by CERT Polska. Fix remote image blocking bypass via SVG content reported by nullcathedral.
  • Fixed DUCKS-4324: Rename PAL to Nova with automated migration infrastructure.
  • Fixed DUCKS-5147,DUCKS-5111: Add translations related to Nova for 8 languages.

134.0.6

2026-02-02
  • Fixed CPANEL-49245: Stop stripping ‘defaults’ from fstab for disks which support usrjquota.
  • Fixed CPANEL-49681: Fix proxydomains CalDAV/CardDAV SRV records writing literal ‘%domain%’ placeholder instead of actual domain name to DNS zones.
  • Fixed CPANEL-50385: Fix 404 errors when granting support access for forked tickets where SSH keys already exist from parent tickets.
  • Fixed CPANEL-50673: Update ssl_minimum_protocol list for Dovecot 2.4.
  • Fixed CPANEL-50872: Force dovecot quota recalculation when deleting emails via the webmail interface.
  • Fixed CPANEL-51016: Make the ‘Process Memory Limit: config (MB)’ setting in WHM » Mailserver Configuration apply to more Dovecot subprocesses/services.
  • Fixed CPANEL-51020: Fix archive.* domains failing SMTP authentication in roundcube.
  • Fixed CPANEL-51068: Address ‘Use of uninitialized value’ errors when saving TweakSettings.
  • Fixed CPANEL-51163: Update PHP to 8.4.17.
  • Fixed CPANEL-51255: Fix incorrect email disk usage calculations in Dovecot 2.4 where INBOX.INBOX folders and subaccount folders were incorrectly counted in quota.
  • Fixed CPANEL-51335: Fix hook script output parsing when third-party hooks output JSON data before the result line.
  • Implemented CPANEL-50759: Fix EasyApache4 wizard to correctly auto-select PHP extensions when installing ALT PHP versions from CloudLinux.

134.0.5

2026-01-22
  • Fixed CPANEL-39627: Allow configuring Dovecot to not provide SSL SNI support to service subdomains, in order to save against Dovecot memory limits when the number of domains served is very high.
  • Fixed CPANEL-45395: Prevent Live Transfer from modifying custom A records that point to external servers.
  • Fixed CPANEL-50990: Add Annual survey notification.

134.0.4

2026-01-16
  • Fixed CPANEL-51118: Fix "Oops" page displaying on MySQL roundcube.

134.0.3

2026-01-15
  • Fixed CPANEL-48631: Exempt CalDAV/CardDAV from DoS protection.
  • Fixed CPANEL-50191: Fix mails on maildir immediately going to cur/ on delivery instead of new/.
  • Fixed CPANEL-50245: Add unified SSL interface.
  • Fixed CPANEL-50565,CPANEL-50567,CPANEL-50665: Add additional File Manager usage analytics.
  • Fixed CPANEL-51044: Fix config location for 999-cpanel-plugins.inc.php in cpanel-roundcubemail-plugins-cpanel package.
  • Fixed CPANEL-51074: Add support for File::Scan::ClamAV on U24.
  • Fixed DUCKS-4951: Fix 360 monitoring widget load failure on account creation page.

134.0.2

2026-01-12
  • Implemented CPANEL-50950: Add in-app survey widget ‘formbricks’ to Roundcube via plugin.
  • Implemented CPANEL-50960: Add a rollback event for activating a comet backup via the admin panel.

134.0.1

2026-01-08
  • Fixed CPANEL-50911: Fix various issues in openapi specs.
  • Fixed CPANEL-50919: Fix masterContainer’s data-app-key being set inconsistently in some mysql upgrade ‘stage’ pages.
  • Fixed DUCKS-4604: New package type system with dynamic feature filtering, built for Nova AI App Builder.
  • Implemented CPANEL-50963: Enable Imunify support on A10/CL10.
  • Implemented DUCKS-4751: Extended create_user_session API to pass prompt parameter to Nova AI.

134.0.0

2026-01-07
  • Fixed CPANEL-39397: Fixed terminal in cPanel from having cpsrvd memory limit.
  • Fixed CPANEL-46346: Extend DNS Peer timeouts to 15 to be more tolerant of slow peers.
  • Fixed CPANEL-47901: Use the subdomain suggestion for the copyable record.
  • Fixed CPANEL-48012: Reinitialize Roundcube CardDAV tables post-transfer.
  • Fixed CPANEL-48405: Perform RFC 2047 escaping on spamd content preview.
  • Fixed CPANEL-48816: Fixed excessive requests when listing items on Email Accounts interface.
  • Fixed CPANEL-48862: Adjust timeout for restorepkg runs initiated via the UI.
  • Fixed CPANEL-48960: Address issues related to call_as_user with no GID.
  • Fixed CPANEL-49007: Avoid unnecessary NS lookups for temporary domains.
  • Fixed CPANEL-49082: Teach create account page to respect the unlimited radio button.
  • Fixed CPANEL-49111: Block webmail feature for accounts that do not have the webmail ACL.
  • Fixed CPANEL-49116: Verify access to feature before allowing user to download file.
  • Fixed CPANEL-49179: Allow preexisting accounts with reserved names.
  • Fixed CPANEL-49246: Update DNS entry handling to skip temporary domain.
  • Fixed CPANEL-49254: Limit script execution via iframe sandbox attributes in Jodit.
  • Fixed CPANEL-49322: Fix eval_full when code isn’t a coderef.
  • Fixed CPANEL-49379: Guard against undefined return from readdir in Cpanel::FileUtils::Dir.
  • Fixed CPANEL-49414: Mailman: Add Apache conf to protect against XSS in list archives.
  • Fixed CPANEL-49422: Perform line wrapping on RFC 2047 encoding.
  • Fixed CPANEL-49525: Also explode the SNI for non-main domains.
  • Fixed CPANEL-49530: Guard against undef UID/GID in userdata::Guard.
  • Fixed CPANEL-49544: Just hardcode the pop3 UIDL format.
  • Fixed CPANEL-49551: Fix cPanel user’s crontab not deleting.
  • Fixed CPANEL-49586: Do not show in product survey on DNSOnly servers.
  • Fixed CPANEL-49611: Remove redundant sync arg in ‘doveadm sync’ calls for CpsrvdClient.
  • Fixed CPANEL-49683: Update awstats pkg for CWE-78/PTT-2025-021.
  • Fixed CPANEL-49802: Handle imunify360-agent errors better in SecAdv.
  • Fixed CPANEL-49943: Fix config checker routines in Cpanel::AdvConfig::dovecot.
  • Fixed CPANEL-49983: Handle arbitrary NetworkManager profile names.
  • Fixed CPANEL-49998: Make imap-master and imap-hibernate run as privileged dovecot user.
  • Fixed CPANEL-50001: Account for 0 -> unlimited on Dovecot 2.4.
  • Fixed CPANEL-50079: Fix userdb returns no longer needing prefixing on dovecot 2.4.2+.
  • Fixed CPANEL-50088: Fix NSEC3 OpenAPI specs to match cPanel versions.
  • Fixed CPANEL-50113: Ensure dovecot_config_version ALWAYS equals dovecot version.
  • Fixed CPANEL-50133: Change MySQL (phpMyAdmin) definers to new temp user.
  • Fixed CPANEL-50141: Handle undef from what_owns_no_errors on Ubuntu.
  • Fixed CPANEL-50161: Autofix net-snmp issue in ‘scripts/sysup’.
  • Fixed CPANEL-50170: Make the X-Spam-Header purely ASCII.
  • Fixed CPANEL-50236: Only run net-snmp autofix on upgrade to 132.
  • Fixed CPANEL-50271: Fix ability to set Dovecot ssl.conf settings.
  • Fixed CPANEL-50272: Remove locale-based lowercasing for domain creation in cPanel.
  • Fixed CPANEL-50286: Ensure lvemanager is functional on CloudLinux.
  • Fixed CPANEL-50319: Fix the PHP warning caused by setting session.gc_divisor to 0.
  • Fixed CPANEL-50422: Install other net-snmp-* packages during sysup.
  • Fixed CPANEL-50492: Wait for the php els license to update before trying to install.
  • Fixed CPANEL-50514: Fix PHP deprecation messages from Roundcube.
  • Fixed CPANEL-50547: Update SysPkgr::YUM to output the updated excludes.
  • Fixed CPANEL-50569: Fix polling for checking the PHP ELS repo.
  • Fixed CPANEL-50592: Handle .local tmpls for DovecotSNI and DovecotSSL.
  • Fixed CPANEL-50612: Fix typo referring to cpdoveauth_domainownerd.sock.
  • Fixed CPANEL-50614: Change default value for auth_allow_cleartext to YES.
  • Fixed CPANEL-50631: Remove dupes from Whostmgr::Addons::Pkgr::get_modules().
  • Fixed CPANEL-50682: Fix easyapache UI localstorage limit error.
  • Fixed CPANEL-50742: Remove antiquated queueprocd memory optimizations.
  • Fixed CPANEL-50748: Add check for RecentAuthedMailIp.
  • Fixed CPANEL-50834: Fix easyapache UI localstorage limit error.
  • Fixed CPANEL-50851: Add a “way out” of having 900ms+ template overhead on all WHM pageloads.
  • Fixed CPANEL-50875: Fix race condition in restorepkg log file creation.
  • Improved CPANEL-40311: Localization of new UI field for S3 backups.
  • Improved CPANEL-47980: Add SSL Certificate Status messages to sidebar of cPanel tools page.
  • Improved CPANEL-48418: Make stats program state/requirements clearer.
  • Improved CPANEL-49030: Implement a way to detect a new survey from WebPros Account.
  • Improved CPANEL-49060: Prevent cPanel SSL Products from showing in WHM by default, with WebPros Account override.
  • Improved CPANEL-49061: Defer automatic issuance of SSL certificates for new domains via WebPros Account.
  • Improved CPANEL-49080: Support Team users for the in product survey.
  • Improved CPANEL-49192: In-product Survey cPanel and Webmail.
  • Improved CPANEL-49266: Add WebPros Account Only login support.
  • Improved CPANEL-49267: Add direct WPA login URL to post install output.
  • Improved CPANEL-49395: Allow Ubuntu 22 to upgrade to Ubuntu 24.
  • Improved CPANEL-49568: Change default value for auth_allow_weak_schemes.
  • Improved CPANEL-49569: Add –stdout-archive to pkgacct for cometbackup.
  • Improved CPANEL-49608: Add a repo for MariaDB 10.6.
  • Improved CPANEL-49916: Provide a cp132 unbound update for 132+.
  • Improved CPANEL-49953: Add –skipdomainkeys to pkgacct.
  • Improved CPANEL-49965: Add missing –disable flags and –from-stdin to restorepkg.
  • Improved CPANEL-49987: Switch LE account key to ECDSA on upgrade.
  • Improved CPANEL-50028: Update Exim to 4.99.
  • Improved CPANEL-50198: Add pcre2-utf32 as a required package for RHEL based distros.
  • Improved CPANEL-50214: Improve integration with Jodit Editor.
  • Improved CPANEL-50320: Assorted tweaks for Paid SSL implementation.
  • Improved CPANEL-50324: Add Site Publisher deprecation notice to WHM.
  • Improved CPANEL-50339: Allow for Nodejs variants.
  • Improved CPANEL-50376: Update PHP to 8.4.15.
  • Improved CPANEL-50429: Add install script to remove unattended-upgrades package.
  • Improved CPANEL-50463: Update unbound to 1.24.2.
  • Improved CPANEL-50486: Deprecate Site Publisher, and recommend SiteJet instead.
  • Improved CPANEL-50489: Support Temporary Domains in SSL Status.
  • Improved CPANEL-50497: Update cpanel-jodit-editor to 4.7.9-2.cp130.
  • Improved CPANEL-50536: Remove support for all Rocky Linux OSs.
  • Improved CPANEL-50575: Method-ize (un)suspending team MySQL user accounts.
  • Improved CPANEL-50615: Enable the zlib.compression PHP directive.
  • Improved CPANEL-50739: Update Roundcube to v1.6.12.
  • Improved CPANEL-50756: Bump rpm.versions for cpanel-exim 4.99.1.
  • Improved CPANEL-50852: Add DumpFile variants to Cpanel::JSON.

Additional Documentation