cPanel prior to 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394).
cpanel cpanel