CVE-2026-48172 is the kind of bug shared-hosting operators dread: a CVSS 10.0 privilege escalation in the plugin's lsws.redisAble routine, which mishandles enabling and disabling Redis. Any unprivileged cPanel user can ride that path to run arbitrary scripts as root, collapsing the wall meant to keep tenants apart. Versions 2.3 through 2.4.4 are affected, and reports of in-the-wild exploitation landed over the weekend. There's little nuance to the fix: update to cPanel plugin 2.4.7 (WHM plugin 5.3.1.0) now, or pull the user-end plugin entirely. On a multi-tenant box, assume one compromised account means the whole server until the logs say otherwise.