This vulnerability arises from improper input sanitization of the 'status' query parameter in the /unprotected/nova_error endpoint of WebPros cPanel. An unauthenticated attacker can exploit this flaw to inject arbitrary HTTP headers into server responses, potentially enabling HTTP response splitting or header injection attacks. The affected versions are 11.132.0.0, 11.134.0.0, and 11.136.0.0. The CVSS 3.1 base score is 8.3, indicating high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.

Successful exploitation allows an unauthenticated attacker to inject arbitrary HTTP headers into responses from the vulnerable endpoint. This can lead to HTTP response splitting, which may facilitate web cache poisoning, cross-site scripting, or other client-side attacks. The vulnerability impacts confidentiality, integrity, and availability as indicated by the CVSS vector. However, no known exploits have been reported in the wild to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently documented, users should monitor WebPros advisories for updates. Until a patch is available, consider restricting access to the vulnerable endpoint if feasible or implementing web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'status' parameter.