cPanel EasyApache 4 25.70: PHP and curl Security Updates

cPanel EasyApache 4 25.70 updates PHP and ea-libcurl for CVE fixes, while Sitejet Builder 4.11.0-1 tightens read-only API token behavior.
cPanel EasyApache 4 25.70 PHP and curl security update checklist for hosting servers

cPanel published EasyApache 4 25.70 and Sitejet Builder 4.11.0-1 on July 9, 2026. This is a practical hosting-admin update because the EasyApache release includes PHP security fixes for CVE-2026-14355 and CVE-2026-12184, plus ea-libcurl backports tied to the curl 8.21.0 security advisory.

For cPanel and WHM servers, treat this as a normal backup-first maintenance window. The release is not a reason to panic, but it is a reason to confirm your EasyApache packages are current on any server that exposes PHP applications, hosted WordPress sites, WHMCS installs, customer control panels, or API-driven apps.

What changed

  • EasyApache 4 25.70 updates PHP 8.2, PHP 8.3, PHP 8.4, and PHP 8.5 for CVE-2026-14355.
  • PHP 8.3 also receives a fix for CVE-2026-12184, which cPanel describes as a TLS setup failure that can lead to remote denial of service.
  • ea-libcurl receives 13 backported CVE fixes from the curl 8.21.0 security advisory.
  • Sitejet Builder 4.11.0-1 improves read-only API token enforcement for Sitejet Builder UAPI methods.

What to do before updating

  1. Confirm you have a current account backup and a server-level recovery path.
  2. List the sites or apps using PHP 8.2, 8.3, 8.4, or 8.5 so post-update checks are targeted.
  3. Schedule the update during a maintenance window if the server hosts customer stores, forms, billing portals, or high-traffic WordPress sites.
  4. Capture current PHP, curl, Apache, and nginx package versions before applying the EasyApache update.

Post-update checks

  • Verify the EasyApache package set reports EasyApache 4 25.70 or newer.
  • Confirm PHP-FPM pools restart cleanly for customer sites.
  • Open a representative WordPress admin page, WooCommerce checkout path, WHMCS client area, and any custom PHP form that matters to the server.
  • Check recent web server, PHP-FPM, and ModSecurity logs for new errors after the maintenance window.
  • If Sitejet Builder is used, confirm expected read-only API token behavior still works for delegated users.

FixItPhill guidance

Install this update after backups are confirmed, then verify live customer workflows instead of relying only on package status. The highest-value checks are the boring ones: PHP-FPM health, checkout pages, login flows, forms, billing portals, and error logs after traffic resumes.

Source: cPanel Release Notes for EasyApache 4 25.70 and Sitejet Builder 4.11.0-1.

Picture of admin

admin

Leave a Reply

Sign up for our Newsletter

Get the latest information on what is going on in the I.T. World.