A critical vulnerability (CVE-2026-23918) has been identified in the HTTP/2 module of the Apache HTTP Server, which could potentially allow remote code execution if left unpatched.
Full advisory:
https://support.cpanel.net/hc/en-us/articles/40229402602519-Security-CVE-2026-23918
Our Infrastructure Status
All Broodle Host shared hosting and cloud hosting platforms run on LiteSpeed Web Server instead of Apache.
As a result, our hosting servers are not affected by this vulnerability and remain fully secure. No action is required for shared or cloud hosting customers.
Action Required for VPS / Dedicated Server Users
If you are using a VPS or Dedicated Server with Apache installed, you must update immediately.
RHEL-based systems (CloudLinux / AlmaLinux)
yum clean all
yum makecache
yum -y update ea-apache*
AlmaLinux (dnf)
dnf clean all
dnf makecache
dnf -y update ea-apache*
Ubuntu
apt update
apt install --only-upgrade "ea-apache24*"
Verification
After updating, confirm the installed version:
httpd -v
The version should be Apache 2.4.67 or later.
Temporary Mitigations (if immediate update is not possible)
These measures reduce risk but do not replace patching:
- Disable HTTP/2 support
- Remove mod_dav_lock if not in use
- Review and restrict .htaccess permissions
Summary
- Cloud and WordPress hosting environments are unaffected due to LiteSpeed usage
- All such platforms are secure and require no action
- VPS and Dedicated Server users running Apache must update immediately
For any assistance, please contact the support team.
Tuesday, May 5, 2026
