cPanel prior to 60.0.25 allows format-string injection in exception-message handling (SEC-171).
cpanel cpanel