1. cPanel & WHM Documentation
  2. Change Logs
  3. cPanel & WHM Change Log
  4. 136 Change Log

136 Change Log

Last modified: 2026 April 7

136.0.0

2026-04-07
  • Fixed CPANEL-38968: Remove deprecated Ruby on Rails and RubyGems features from WHM Feature Manager and cPanel Jupiter UI.
  • Fixed CPANEL-39627: Allow configuring Dovecot to not provide SSL SNI support to service subdomains, in order to save against Dovecot memory limits when the number of domains served is very high.
  • Fixed CPANEL-40311: New form field to specify region of S3-compatible backup destinations.
  • Fixed CPANEL-43087: Removed use of cpanel side user cache files.
  • Fixed CPANEL-43136: Fix Security Advisor to properly detect Imunify360, ImunifyAV, and ImunifyAV+ when market provider is disabled.
  • Fixed CPANEL-43386: Transfer tool now automatically updates PHP handlers in .htaccess files to match the destination server’s available handlers, preventing PHP configuration issues after transfers.
  • Fixed CPANEL-44000: scripts/cpdig now will print DNS errors if encountered.
  • Fixed CPANEL-45395: Prevent Live Transfer from modifying custom A records that point to external servers.
  • Fixed CPANEL-45401: Remove remaining ICQ/OSCAR related code from the product.
  • Fixed CPANEL-46346: Reduce timeouts in DNS Cluster interface by extending peer timeouts from 7->15.
  • Fixed CPANEL-46546: Fix Ticket Assist firewall detection when Imunify360 creates /etc/csf without installing the CSF binary.
  • Fixed CPANEL-46581: Obfuscate the whm-server-status apache endpoint.
  • Fixed CPANEL-46584: Harden MySQL upgrade process by setting locale to C defensively.
  • Fixed CPANEL-46970: Improved error messaging for package max_email_per_hour validation.
  • Fixed CPANEL-47033: Fix MariaDB 10.11+ startup error caused by attempting to load the non-existent auth_socket.so plugin.
  • Fixed CPANEL-47555: MySQL and MariaDB upgrades now detect and automatically remove version locks when proceeding with the upgrade, preventing database service from being left in a non-functional state.
  • Fixed CPANEL-48069: Automatically configure PHP error logging to ~/logs/php.error.log for all newly created domains.
  • Fixed CPANEL-48069: Allow PHP error logging directives (error_log, log_errors, error_log_mode) to be configured in MultiPHP INI Editor Basic Mode.
  • Fixed CPANEL-48418: Make stats program state/requirements clearer.
  • Fixed CPANEL-48631: Exempt CalDAV/CardDAV from DoS protection.
  • Fixed CPANEL-48930: Always force jailshell for jailed users crontabs.
  • Fixed CPANEL-49084: AutoDomain xfer config update will ignore files over 1 MiB.
  • Fixed CPANEL-49245: Stop stripping ‘defaults’ from fstab for disks which support usrjquota.
  • Fixed CPANEL-49464: Remove custom Net::SSLeay fork in favor of upstream module.
  • Fixed CPANEL-49681: Fix proxydomains CalDAV/CardDAV SRV records writing literal ‘%domain%’ placeholder instead of actual domain name to DNS zones.
  • Fixed CPANEL-49693: Additional package prefixes now supported in easyapache UI.
  • Fixed CPANEL-49983: Ensure that WHM-managed IPv4 addresses are added after NetworkManager finishes configuring the basic parameters on the interface.
  • Fixed CPANEL-50064: Update the maintenance script to notify the admin of any long-running rpm/apt locks.
  • Fixed CPANEL-50065: Block updates if the package manager is actively holding locks.
  • Fixed CPANEL-50066: Label outdated and secured PHP versions in MultiPHP Manager and INI Editor.
  • Fixed CPANEL-50129: Fix redirect issue for search results on the domains page.
  • Fixed CPANEL-50133: Fix issue where new login sessions were not able to make changes to items created in previous sessions from phpMyAdmin.
  • Fixed CPANEL-50134: Allow Team user password invitation to work when the API log is enabled.
  • Fixed CPANEL-50191: Fix mails on maildir immediately going to cur/ on delivery instead of new/.
  • Fixed CPANEL-50213: Fix maildirsize file not getting re-created if missing on IMAP login.
  • Fixed CPANEL-50213: Set autoexpunge rules for mailboxes in the config blocks which initially set them up instead of later in IMAP/POP settings.
  • Fixed CPANEL-50214: Various integration improvements to Jodit Editor.
  • Fixed CPANEL-50245: Add unified SSL interface.
  • Fixed CPANEL-50271: Fix ability to set Dovecot ssl.conf settings.
  • Fixed CPANEL-50301: Fix bug in Cpanel::RPM::Versions::Pkgr where children of the locker PID would destroy the lockfile out from under a parent on exit.
  • Fixed CPANEL-50385: Fix 404 errors when granting support access for forked tickets where SSH keys already exist from parent tickets.
  • Fixed CPANEL-50422: Address additional net-snmp dependency issues not fixed for CPANEL-50161.
  • Fixed CPANEL-50423: Prevent team sub-account members from accessing WHMCS integration endpoints to block a privilege escalation path to WHM root.
  • Fixed CPANEL-50486: Deprecate Site Publisher, and recommend SiteJet instead.
  • Fixed CPANEL-50497: Update cpanel-jodit-editor to 4.7.9-2.cp130.
  • Fixed CPANEL-50532: Updated Trademarks pages to reflect WebPros International, L.L.C. ownership with improved layout and current third-party trademark attributions.
  • Fixed CPANEL-50565,CPANEL-50567,CPANEL-50665: Add additional File Manager usage analytics.
  • Fixed CPANEL-50575: Prevent the team users interface from being exploited to suspend or unsuspend arbitrary MySQL users.
  • Fixed CPANEL-50592: Allow upgrades to Dovecot 2.4 to reset SNI and SSL include file local templates in addition to the main configuration file’s local template.
  • Fixed CPANEL-50612: Fix typo in dovecot.conf template referring to cpdoveauth_domainownerd.sock.
  • Fixed CPANEL-50614: Change default value for auth_allow_cleartext to yes to improve compatibility with existing client connections.
  • Fixed CPANEL-50623: Re-build Munin so that munin-node can start when IPv6 is disabled.
  • Fixed CPANEL-50673: Update ssl_minimum_protocol list for Dovecot 2.4.
  • Fixed CPANEL-50686: Fix lua-socket for dovecot auth on 7->8 elevated systems.
  • Fixed CPANEL-50695: Fix email archiving.
  • Fixed CPANEL-50715: Fix bad auth proxying on mail node setups.
  • Fixed CPANEL-50721: Address missing libmariadb.so on upgrade to 132.
  • Fixed CPANEL-50725: Fix tailwatch’s AuthedMailIPTracker regexp for changes in strings emitted from Dovecot 2.4 (Login: -> Logged in:).
  • Fixed CPANEL-50739: Update Roundcube to v1.6.12.
  • Fixed CPANEL-50742: Allow the Task Queue system to load the POSIX interface Perl module freely again.
  • Fixed CPANEL-50744: Fixed manage disk usage in Roundcube with sieve scripts present.
  • Fixed CPANEL-50746: Adjust the default mail_path for virtual users to prevent permission denied errors before mail_path is overridden in userdb/passdb returns.
  • Fixed CPANEL-50756: Update cpanel-exim to 4.99.1.
  • Fixed CPANEL-50784: Fix request parsing fallback logic when integrations to dovecot don’t set a namespace in the auth request.
  • Fixed CPANEL-50795: Update PHP to 8.4.16.
  • Fixed CPANEL-50811: Add OpenAPI documentation for deprecated FeatureLists API methods.
  • Fixed CPANEL-50838: Allow php*-php-common namespace.
  • Fixed CPANEL-50845: Fix account backup failure when userdata directory contains subdirectories.
  • Fixed CPANEL-50847: Update cpanel-mailman to 2.2.0.41-1.cp130.
  • Fixed CPANEL-50852: Add some DumpFile variants to Cpanel::JSON.
  • Fixed CPANEL-50872: Force dovecot quota recalculation when deleting emails via the webmail interface.
  • Fixed CPANEL-50875: Fixed race condition viewing restore/transfer sessions.
  • Fixed CPANEL-50903: Fix HTML Editor File Browse relative pathing.
  • Fixed CPANEL-50911: Fix various issues in openapi specs.
  • Fixed CPANEL-50919: Fix masterContainer’s data-app-key being set inconsistently in some mysql upgrade ‘stage’ pages.
  • Fixed CPANEL-50935: The system now applies the Update DNS Zone setting when you use the Apply to Other Selected Accounts button in the Transfer Tool.
  • Fixed CPANEL-50950: Add “Formbricks” survey widget to RoundCube via plugin.
  • Fixed CPANEL-50957: Rename “Process Memory Limit: config” in Mailserver Config to “Process Memory Limit for Other Services”, and apply the setting to all internal Dovecot services not otherwise covered by another setting.
  • Fixed CPANEL-50960: Teach cpkeyclt about the comet backup acitvation code.
  • Fixed CPANEL-50967: Improve Jodit to support browsing subdirectories, and use relative links when inserting images via the filebrowser.
  • Fixed CPANEL-50990: Add Annual survey notification.
  • Fixed CPANEL-51016: Make the ‘Process Memory Limit: config (MB)’ setting in WHM » Mailserver Configuration apply to more Dovecot subprocesses/services.
  • Fixed CPANEL-51020: Fix archive.* domains failing SMTP authentication in roundcube.
  • Fixed CPANEL-51044: Fix config location for 999-cpanel-plugins.inc.php in cpanel-roundcubemail-plugins-cpanel package.
  • Fixed CPANEL-51068: Address ‘Use of uninitialized value’ errors when saving TweakSettings.
  • Fixed CPANEL-51074: Add support for File::Scan::ClamAV on U24.
  • Fixed CPANEL-51092: Modify SpamAssassin to recognize different Exim behavior when using the “+all” log selector.
  • Fixed CPANEL-51118: Fix “Oops” page displaying on MySQL roundcube.
  • Fixed CPANEL-51163: Update PHP to 8.4.17.
  • Fixed CPANEL-51255: Fix incorrect email disk usage calculations in Dovecot 2.4 where INBOX.INBOX folders and subaccount folders were incorrectly counted in quota.
  • Fixed CPANEL-51274: Fix tool link issues on the Domains page.
  • Fixed CPANEL-51335: Fix hook script output parsing when third-party hooks output JSON data before the result line.
  • Fixed CPANEL-51346: Fixed Whostmgr::Quota::setusersquota() condition that confused 0 with unlimited.
  • Fixed CPANEL-51488: Make EOL PHP/Hardened PHP clearer in EA4 UI output.
  • Fixed CPANEL-51510: Update cpanel-roundcubemail to 1.6.13.
  • Fixed CPANEL-51513: Respect httpd_deferred_restart_time during bulk account removal to avoid redundant Apache PHP-FPM restarts.
  • Fixed CPANEL-51568: Add ARC signing to SRS forwarded SMTP messages.
  • Fixed CPANEL-51576: Add WHM API function to report the count of domains using end-of-life PHP versions.
  • Fixed CPANEL-51581: Update cpanel-php84 to 8.4.18.
  • Fixed CPANEL-51591: Fix vacation autoresponse emails being bounced by providers like Gmail due to an empty envelope sender (-f <>) causing SPF/DKIM failures.
  • Fixed CPANEL-51627: Re-add support for Dovecot to use custom Diffie-Hellman parameters file.
  • Fixed CPANEL-51641: Display PHP outdated version warning in WHM List Accounts page when sites use end-of-life PHP versions.
  • Fixed CPANEL-51652: Removes Site Publisher deprecation notices from cPanel tools page, and the notification UI in WHM and cPanel.
  • Fixed CPANEL-51678: Fix FileManager upload popup incorrectly tracking anonymous Mixpanel events regardless of user analytics consent settings.
  • Fixed CPANEL-51680: Use less alarming warning text for SSL certificates that are expiring soon but will be auto-renewed.
  • Fixed CPANEL-51680: Fix false-alarm SSL expiry warnings for AutoSSL-managed domains.
  • Fixed CPANEL-51763: Update cpanel-jodit-editor to 4.9.14-1.cp130.
  • Fixed CPANEL-51765: PHP versions older than the system-configured minimum are now labeled “Outdated” instead of “Deprecated” in the MultiPHP Manager interface.
  • Fixed CPANEL-51788: Fix chkservd not reading mail service logs, which could cause Eximstats and Track Delivery to stop updating.
  • Fixed CPANEL-51833: Remove the Site Publisher link from the Domains additional resources panel.
  • Fixed CPANEL-51917: Ugrade Net::CIDR to 0.27 to address CVE-2021-4456.
  • Fixed CPANEL-51919: Upgrade Crypt::URandom for CVE-2026-2474.
  • Fixed CPANEL-51921: Upgrade Compress::Raw::Zlib to address CVE-2026-3381.
  • Fixed CPANEL-52006: Update PHP to 8.4.19.
  • Fixed CPANEL-52028: Show Hostname, Operating System, cPanel Version, and Load Averages in the WHM home Statistics card on mobile-sized viewports.
  • Fixed CPANEL-52097: Update cpanel-roundcubemail to 1.6.14.
  • Fixed CPANEL-52164: Fix uninitialized-value warnings in Cpanel::CachedDataStore when the datastore file disappears between stat calls during disk cache validation.
  • Fixed CPANEL-52185: The MultiPHP Manager outdated PHP banner now includes a description explaining that outdated PHP versions no longer receive security updates and recommends PHP ELS. The More Info link is positioned inline with the description instead of pushed to the far right.
  • Fixed CPANEL-52196: Fixed XSS vulnerability when using /viewer/ routes.
  • Fixed CPANEL-52224: CPAN updates, addressing CVE-2026-4177, CVE-2006-10002, CVE-2006-10003.
  • Fixed CPANEL-52327: Fix Apache rebuild warnings and repeated survey prompts caused by root’s scoped userdata directory.
  • Fixed CPANEL-52340: Update cpanel-roundcubemail to 1.6.15.
  • Fixed CPANEL-52361: Do not promote PHP ELS on servers that have an immunify360 license.
  • Fixed CPANEL-52412: Fix “Apply DMARC Policy” so it no longer overwrites existing DMARC records, and ensure it uses the server’s configured default policy rather than the hardcoded fallback.
  • Fixed CPANEL-52428: Fix cPanel MultiPHP Manager failing to display installed PHP versions with an out of date ea-cpanel-tools package.
  • Fixed DUCKS-4951: Fix 360 monitoring widget load failure on account creation page.
  • Fixed DUCKS-4995: Improve required extension handling and warning messages in WHM package forms.
  • Fixed DUCKS-5111: Add translations related to Nova for 8 languages.
  • Fixed DUCKS-5434: Fix feature-list rule validation for the default feature list to properly expand sparse entries and delegate to the shared validation module.
  • Fixed WPX-7724: Throttle AutoSSL failure notifications to at most once per 24 hours per vhost, notification type, and recipient.
  • Fixed WPX-9299: Fix WordPress installation failing to redirect to Extendify when a concurrent WPTK task caused the install task to be deferred.
  • Fixed WPX-9325: Skip the MailMan install task when disabled.
  • Fixed WPX-9862: AutoSSL now emits a clear error when the configured provider module does not exist on the system.
  • Fixed WPX-10026: Added the Stats::get_stats_daily UAPI method to retrieve daily AwStats data for a domain.
  • Implemented CPANEL-47921: Added a new tweak setting to control web server log archive retention and a script to perform automated cleanup.
  • Implemented CPANEL-47921: Added log retention controls to the Raw Access and Log Manager interfaces.
  • Implemented CPANEL-47921: Added WHM API for managing web server log retention settings across accounts.
  • Implemented CPANEL-47921: Added a WHM interface for managing web server log retention settings across cPanel accounts.
  • Implemented CPANEL-48364: Allow third-party backup tools to restore domains on DNS-clustered servers via the force parameter.
  • Implemented CPANEL-49391: Improve MIME header decoding in BoxTrapper by switching to the actively maintained CPAN Encode::MIME::Header module, which better handles malformed email headers.
  • Implemented CPANEL-49394: Ubuntu 22 is no longer supported by cPanel.
  • Implemented CPANEL-50070: Remove redundant server info rows from the WHM home Statistics sidebar and hide the sidebar when it has no content.
  • Implemented CPANEL-50109: Add scripts to view and mass-change PHP versions across all domains.
  • Implemented CPANEL-50258: Add option to log out of WebPros Account when logging out of cPanel, WHM, or Webmail.
  • Implemented CPANEL-50441: Updated Security Advisor for CSF.
  • Implemented CPANEL-50679: Remove libmariadb autofix logic from Sysup.
  • Implemented CPANEL-50694: Set dovecot_storage_version to dovecot version for possible compatibility with changes dovecot may or may not have in the future.
  • Implemented CPANEL-50759: Fix EasyApache4 wizard to correctly auto-select PHP extensions when installing ALT PHP versions from CloudLinux.
  • Implemented CPANEL-50963: Enable Imunify support on A10/CL10.
  • Implemented CPANEL-51137: Redesign PHP ELS installation progress indicator in MultiPHP Manager.
  • Implemented CPANEL-51430: Add automatic reissuance of short-lived (200-day) SSL certificates via the cPanel Store API.
  • Implemented CPANEL-51589: Let’s Encrypt certificates may be obtained from TLS wizard even if cPanel Store is disabled.
  • Implemented CPANEL-51639: Change Security Advisor to suggest installing cPanel CSF using cleaner methods.
  • Implemented CPANEL-51639: Display cPanel CSF in the WHM Manage Plugins interface.
  • Implemented CPANEL-51959: Fix styling of the Cancel button in the outdated PHP version confirmation dialog on the WHM MultiPHP Manager page.
  • Implemented CPANEL-52298: Update SVCB API Specs for Existing Go Links.
  • Implemented WPX-4885: Conditionally display Reseller/Owner column in List accounts.

Additional Documentation