ConfigServer Security & Firewall (CSF) Release Notes
Last modified: 2026 May 19
- As of August 31, 2025, the developers of CSF no longer maintain or support it. They have released CSF under the GPLv3 license.
- On supported cPanel & WHM versions, WebPros International, LLC maintains its own version of CSF for security and stability updates only. We do not provide help with CSF configuration or troubleshooting. For more information, read our How to Install ConfigServer Security & Firewall (CSF) documentation.
ConfigServer Security & Firewall (CSF) 16.20-1
2026 May 19
Bug fixes
Fixed regex.custom.pm custom rules silently failing to match log lines (CPANEL-53173). Fixed csf -cf $file no longer retaining newlines in the file (CPANEL-52801).
ConfigServer Security & Firewall (CSF) 16.18-1
2026 May 4
Managesieve LFD alert fix
Added managesieve-login to csf.pignore to prevent excessive LFD resource usage alerts triggered by the Dovecot managesieve plugin (CPANEL-52448).
ConfigServer Security & Firewall (CSF) 16.17-1
2026 May 4
LFD startup and detection fixes
Fixed LFD failing to detect and block IMAP/POP3 brute-force login failures on Dovecot 2.4 (CPANEL-51854). Fixed LFD not starting automatically after cPanel version upgrades (CPANEL-52606). Fixed firewall rules sometimes failing to load after cpanel-csf upgrades (CPANEL-52154). Fixed LFD startup crash when /etc/csf/csf.error does not exist (CPANEL-52155). Fixed LFD not starting unless /etc/csf/csf.error is present and refactored the DIE signal handler (CPANEL-52977).
ConfigServer Security & Firewall (CSF) 16.12-1
2026 March 18
Package removal cleanup fix
Fixed an issue where uninstalling cpanel-csf left the CSF plugin entry and LFD service status behind in WHM (CPANEL-51933). Also suppresses harmless errors on missing symlinks during upgrades.
ConfigServer Security & Firewall (CSF) 16.11-1
2026 March 6
Package upgrade behavior fix
Fixed an issue where upgrading cpanel-csf would overwrite custom csf-cron entries.
ConfigServer Security & Firewall (CSF) 16.10-1
2026 March 2
CloudFlare configuration file preservation
The csf.cloudflare configuration file is now properly marked as %config(noreplace), preventing it from being overwritten during package upgrades.
ConfigServer Security & Firewall (CSF) 16.09-1
2026 February 27
Environment variable isolation for CSF binary
Fixed an issue where the PERL5LIB environment variable could influence the behavior of /usr/sbin/csf, ensuring CSF uses the correct library paths.
ConfigServer Security & Firewall (CSF) 16.08-1
2026 February 5
WebPros now maintains CSF for cPanel & WHM
WebPros International has assumed stewardship of ConfigServer Security & Firewall (CSF) and repackaged it as the cpanel-csf RPM. CSF now installs and updates through the standard cPanel package management system on all supported cPanel & WHM versions. Support for non-cPanel platforms has been removed; this package is exclusively for cPanel & WHM environments.
Security improvements and codebase modernization
This release addresses XSS vulnerabilities in the CSF web UI and improper HTML encoding throughout the codebase. The code has been modernized to use cPanel-native Perl libraries and conventions, with a new 100+ test suite providing ongoing stability assurance. IPv6 handling, timeout validation, and log parsing for AlmaLinux 10 have also been corrected.
Package-managed updates
CSF now updates through the cPanel package manager. The previous AUTO_UPDATES feature has been removed. Keep your cPanel & WHM installation current to receive CSF security and stability patches automatically.