cPanel prior to 68.0.15 allows arbitrary code execution via Maketext injection in a Reseller style upload (SEC-314).
cpanel cpanel