Every Panel Has Vulnerabilities. The Question Is How Deep They Go.
No software is immune to security issues. Both cPanel and Plesk have published CVEs over the years, and any honest comparison must acknowledge that Panelica, being newer, has had less time to accumulate a public vulnerability record. What matters is architecture: how deeply a vulnerability can penetrate and how quickly it can be mitigated. Panelica is a modern hosting control panel designed for multi-server environments with a five-layer isolation architecture that limits the blast radius of any single vulnerability.
Recent Plesk Vulnerabilities
CVE-2025-66431: Root Code Execution via Domain Creation
In 2025, a critical vulnerability was discovered in Plesk domain creation mechanism. A malicious Plesk user with Create and manage sites permission could execute arbitrary code as root upon creating a domain. This is a privilege escalation from authenticated user to full root access, one of the most severe vulnerability classes in hosting panels.
CVE-2025-66430: Apache Configuration Injection
The Password-Protected Directories feature in Plesk allowed injection of arbitrary data into Apache configuration files. By exploiting this flaw, attackers could inject malicious directives and execute commands with root privileges. Affected versions included Plesk 18.0.70 through 18.0.74 and Plesk Onyx installations. Micro-updates 18.0.73.5 and 18.0.74.2 patched the issue.
Historical Context
These are not isolated incidents. The Plesk CVE database includes XSS vulnerabilities, CSRF issues, information disclosure flaws, and multiple privilege escalation paths discovered over the years. This is normal for any complex web application with a long history, but it highlights the importance of architectural security beyond just patching.
cPanel Vulnerability Record
For comparison, cPanel has accumulated 382 known CVEs as of late 2025. Recent notable issues include CVE-2025-66429, a directory traversal in the Team Manager API allowing file overwrite and root privilege escalation (affecting cPanel 110 through 132). cPanel release cadence includes frequent security patches, but the volume of CVEs reflects the large attack surface of a Perl-based panel with decades of accumulated features.
Why Privilege Escalation Is the Critical Metric
Not all vulnerabilities are equal. An XSS flaw in a settings page is concerning but contained. A privilege escalation from authenticated user to root is catastrophic because it means any customer on a shared server could potentially take full control of the machine.
Both CVE-2025-66431 (Plesk) and CVE-2025-66429 (cPanel) are root escalation vulnerabilities. In shared hosting environments with dozens or hundreds of users, this class of vulnerability puts every account at risk.
How Architecture Reduces Risk
The Traditional Model
cPanel and Plesk run many operations as root because they need to modify system configurations (Apache/Nginx configs, DNS zones, mail configs, user accounts). When a vulnerability exists in code running as root, the escalation path is direct.
Panelica Five-Layer Isolation
Panelica provides container-native deployment and strict resource isolation through five distinct layers:
- Layer 1: Cgroups v2 — Each user operates within a cgroup slice that limits CPU, memory, IO, and process count. Even if code is compromised, resource consumption is bounded
- Layer 2: Linux Namespaces — PID and mount namespaces create isolated views of the system. A compromised process cannot see other users processes or mount points
- Layer 3: SSH Chroot — SSH and SFTP access is jailed to the users directory. Shell access cannot navigate beyond the chroot boundary
- Layer 4: PHP-FPM Pools — Per-user, per-version PHP-FPM processes run with open_basedir restrictions and disabled dangerous functions. PHP code cannot access files outside the users scope
- Layer 5: Unix Permissions — Home directories are set to 700. File operations use the UserContextService which writes files as the target user through a secure temp-then-chown pattern, never running user-initiated file operations directly as root
Reduced Root Exposure
Panelica Go backend runs as a single compiled binary. Configuration generation uses template-based approaches that validate input before writing. The UserContextService pattern separates privileged operations (writing system configs) from user-scoped operations (writing user files), reducing the code paths that run with elevated privileges.
What This Means Practically
No panel can guarantee zero vulnerabilities. Panelica will likely have security issues discovered as it matures. The architectural advantage is that the five-layer isolation limits what a vulnerability can achieve:
- A compromised PHP process is contained within its cgroup slice and open_basedir
- A namespace escape would still face cgroup and Unix permission barriers
- A chroot breakout would encounter namespace and cgroup isolation
- Multiple layers must be bypassed simultaneously for full escalation
Practical Security Recommendations
Regardless of which panel you use:
- Apply security patches immediately when released
- Monitor CVE databases for your panel version
- Enable automatic updates for security releases
- Use the principle of least privilege for all user accounts
- Enable two-factor authentication for panel access
- Regular security audits of server configuration
Conclusion
Plesk and cPanel both have documented histories of privilege escalation vulnerabilities. This is expected for complex panels with years of development. The difference in modern panels is architectural: defense in depth means that a single vulnerability does not equal total compromise. Panelica empowers sysadmins with RBAC and automated security tools, with five isolation layers designed so that no single breach grants unrestricted access. Security is not about being invulnerable — it is about limiting the damage when vulnerabilities inevitably appear.