cPanel prior to 11.54.0.4 allows arbitrary code execution because of an unsafe @INC path (SEC-46).
cpanel cpanel