cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123).
cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91).
The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter.
guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.