The Removal of cgiemail and cgiecho

Last modified: June 17, 2021



Flaws previously discovered in the cgiemail and cgiecho scripts caused cPanel, L.L.C. to remove support for them in cPanel & WHM. The upstream author of the cgiemail scripts has not provided maintenance in over a decade. While cPanel, L.L.C. has provided patches for issues and vulnerabilities when we discover them, modern shared hosting environments should not depend on this script.

To remove the cgiemail and cgiecho scripts from your system, perform the correct steps for your version of cPanel & WHM:

  • cPanel & WHM version 64 and earlier — Manually remove the cgiemail and cgiecho scripts from the cgi-sys directory and cgi-bin directories. To do this, manually run the /usr/local/cpanel/scripts/clean_cgiemail script.

  • cPanel & WHM version 68 — Remove these scripts via the Feature Showcase interface when you log in to WHM. This feature automatically runs the /usr/local/cpanel/scripts/clean_cgiemail script.

The clean cgiemail script

The /usr/local/cpanel/scripts/clean_cgiemail script removes the cpanel-cgiemail RPM from the system. It also removes copies of the cgiemail and cgiecho scripts from users’ cgi-bin directories.

To use this script, run the following command:

/usr/local/cpanel/scripts/clean_cgiemail [options]


The /usr/local/cpanel/scripts/clean_cgiemail script accepts the following options:

  • --rpm — Remove the cgiemail RPM.

  • --docroot — Remove the cgiemail scripts from users’ home directories.

  • --user=username — Remove the cgiemail script from only the username user’s home directory.

    Use this argument with the --docroot argument.

  • --dryrunOnly view a list of files that the script will remove.

  • --notify — Send a notification to the system administrator when the script runs.


For example, run the following command to remove the cpanel-cgiemail RPM and remove the cgiemail script from the username user’s home directory:

/usr/local/cpanel/scripts/clean_cgiemail --rpm --docroot --user=username

This command’s output will resemble the following example:

info [clean_cgiemail] Removing RPM: cpanel-cgiemail-1.6-5.cp1136.x86_64 ...
info [clean_cgiemail] Success.
info [clean_cgiemail] Removing file: /home/foobar/public_html/cgi-bin/cgiemail ...
info [clean_cgiemail] Success.
info [clean_cgiemail] Found 1 scripts in user docroots.

Additional Documentation