cPanel prior to 66.0.2 allows stored XSS during WHM cPAddons file operations (SEC-265).
cpanel cpanel