πŸ” CVE Alert

CVE-2026-29204

CRITICAL 9.1
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.

CWE CWE-639
Vendor webpros
Product whmcs
Published May 12, 2026
Last Updated May 12, 2026
Stay Ahead of the Next One

Get instant alerts for webpros whmcs

Be the first to know when new critical vulnerabilities affecting webpros whmcs are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

WebPros / WHMCS
7.4.0 ≀ 18.12.2 18.13.0 < 18.13.3 9.0.0 < 9.0.4

References

NVD β†— CVE.org β†— EPSS Data β†—
help.whmcs.com: https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204