cPanel prior to 86.0.14 allows malicious users to obtain access to the current working directory via the account backup feature (SEC-540).
cpanel cpanel