cPanel prior to 71.9980.37 allows malicious users to make API calls that bypass the images feature restriction (SEC-430).
cpanel cpanel