CVE-2026-41940
published 2026-04-29CVE-2026-41940: cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-03
Exploited in the wild
EPSS
98.10%
99.9th percentile
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Affected
41 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cpanel | cpanel | >= 11.40 < 86.0.41 | 86.0.41 |
| cpanel | cpanel | >= 112.0.0 < 118.0.63 | 118.0.63 |
| cpanel | cpanel | >= 120.0.0 < 124.0.35 | 124.0.35 |
| cpanel | cpanel | >= 126.0.1 < 126.0.54 | 126.0.54 |
| cpanel | cpanel | >= 128.0.0 < 130.0.19 | 130.0.19 |
| cpanel | cpanel | >= 132.0.0 < 132.0.29 | 132.0.29 |
| cpanel | cpanel | >= 134.0.0 < 134.0.20 | 134.0.20 |
| cpanel | cpanel | >= 136.0.0 < 136.0.5 | 136.0.5 |
| cpanel | cpanel | >= 88.0.0 < 110.0.97 | 110.0.97 |
| cpanel | whm | >= 11.40 < 86.0.41 | 86.0.41 |
| cpanel | whm | >= 112.0.0 < 118.0.63 | 118.0.63 |
| cpanel | whm | >= 120.0.0 < 124.0.35 | 124.0.35 |
| cpanel | whm | >= 126.0.1 < 126.0.54 | 126.0.54 |
| cpanel | whm | >= 128.0.0 < 130.0.19 | 130.0.19 |
| cpanel | whm | >= 132.0.0 < 132.0.29 | 132.0.29 |
| cpanel | whm | >= 134.0.0 < 134.0.20 | 134.0.20 |
| cpanel | whm | >= 136.0.0 < 136.0.5 | 136.0.5 |
| cpanel | whm | >= 88.0.0 < 110.0.97 | 110.0.97 |
| cpanel | wp_squared | < 136.1.7 | 136.1.7 |
| webpros | cpanel | >= 11.104.0.0 < 11.110.0.97 | 11.110.0.97 |
| webpros | cpanel | >= 11.112.0.0 < 11.118.0.63 | 11.118.0.63 |
| webpros | cpanel | >= 11.120.0.0 < 11.124.0.35 | 11.124.0.35 |
| webpros | cpanel | >= 11.126.0.0 < 11.126.0.54 | 11.126.0.54 |
| webpros | cpanel | >= 11.128.0.0 < 11.130.0.19 | 11.130.0.19 |
| webpros | cpanel | >= 11.132.0.0 < 11.132.0.29 | 11.132.0.29 |
Detection & IOCsextracted from sources · hover to see the quote
commandgrep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null↗
- →Detect CRLF injection in the Basic Authorization header sent to cPanel/WHM login endpoints; look for raw \r\n characters injected to manipulate session file properties (e.g., user=root). ↗
- →Monitor for manipulation of the `whostmgrsession` cookie with a missing/truncated segment, which is the attacker's mechanism to bypass encryption and inject session properties. ↗
- →Check cPanel/WHM logs for the IoC grep pattern targeting the LiteSpeed plugin's redisAble function, which is being actively exploited in conjunction with the cPanel ecosystem. ↗
- →Check Point IPS signature available: 'cPanel Authentication Bypass (CVE-2026-41940)'. ↗
- →CISA has linked CVE-2026-41940 with Sorry Ransomware; hunt for Sorry ransomware artifacts on cPanel hosts as a post-exploitation payload. ↗
- →Monitor for Mirai botnet variant deployment on cPanel hosts following exploitation; Shadowserver observed 44,000 IP addresses engaging in scanning and brute-force attacks after exploitation. ↗
- ·The vulnerability exists in cPanel & WHM versions after 11.40 by default; all systems exposing the affected web service are vulnerable without any special misconfiguration required. ↗
- ·The session file manipulation occurs before authentication; cpsrvd writes the attacker-controlled session file to disk without sanitizing CRLF-injected data from the Basic Authorization header. ↗
- ·A public proof-of-concept exploit was published by watchTowr on April 29, 2026, making widespread exploitation immediately accessible to lower-skilled threat actors. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-85qr-8rxc-62gv: cPanel and WHM versions prior to 11
ghsa_unreviewed·2026-04-29
CVE-2026-41940 [CRITICAL] CWE-306 GHSA-85qr-8rxc-62gv: cPanel and WHM versions prior to 11
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
VulDB
cPanel/WHM prior 11.136.0.5 missing authentication
vuldb·2026-04-29·CVSS 9.3
CVE-2026-41940 [CRITICAL] cPanel/WHM prior 11.136.0.5 missing authentication
A vulnerability has been found in cPanel and WHM and classified as critical. Impacted is an unknown function. The manipulation leads to missing authentication.
This vulnerability is uniquely identified as CVE-2026-41940. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
VulnCheck
Missing Authentication for Critical Function
vulncheck·2026·CVSS 9.3
CVE-2026-41940 [CRITICAL] Missing Authentication for Critical Function
Missing Authentication for Critical Function
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.knownhost.com/forums/threads/cpanel-zero-day-exploit-network-wide-protections-in-place-for-cpanel-and-whm-logins-ports.6599/#post-29956
CISA
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
cisa·2026-04-30·CVSS 9.3
CVE-2026-41940 [CRITICAL] CWE-306 WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Vulnerability: WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
Affected: WebPros cPanel & WHM and WP2 (WordPress Squared)
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/versi
Exploit-DB
cPanel - CRLF Injection
exploitdb·2026-05-26·CVSS 9.3
CVE-2026-41940 [CRITICAL] cPanel - CRLF Injection
cPanel - CRLF Injection
---
# ExploitTitle: cPanel 11.40 - CRLF Injection
# Author: nu11secur1tyAI
# Date: 2026-04-30
# Vendor: cPanel, L.L.C.
# Software: cPanel & WHM (cpsrvd)
# Reference: CVE-2026-41940 / watchTowr-2026-01
## Description:
A critical authentication bypass vulnerability exists in the cPanel/WHM
`cpsrvd` daemon due to improper neutralization of line delimiters (CRLF) in
the `whostmgrsession` cookie and `Authorization` headers. An
unauthenticated remote attacker can leverage this flaw to inject malicious
session parameters directly into the server's flat-file session metadata
store. By injecting sequences such as `user=root`, `hasroot=1`, and
`tfa_verified=1`, the attacker subverts the internal authentication logic,
forcing the system to issue a valid administrative sessi
Nuclei
cPanel & WHM - Authentication Bypass via Session-File CRLF Injection
nuclei·CVSS 9.3
CVE-2026-41940 [CRITICAL] cPanel & WHM - Authentication Bypass via Session-File CRLF Injection
cPanel & WHM - Authentication Bypass via Session-File CRLF Injection
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Template:
id: CVE-2026-41940
info:
name: cPanel & WHM - Authentication Bypass via Session-File CRLF Injection
author: watchtowr,hadrian.io,DhiyaneshDk
severity: critical
description: |
cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control pan
Metasploit
cPanel/WHM CRLF Injection Authentication Bypass RCE
metasploit·CVSS 9.3
CVE-2026-41940 [CRITICAL] cPanel/WHM CRLF Injection Authentication Bypass RCE
cPanel/WHM CRLF Injection Authentication Bypass RCE
Exploits CVE-2026-41940, a CRLF injection in cPanel/WHM's cpsrvd daemon that allows unauthenticated remote code execution as root. The Basic-auth handler writes the password to the raw session file without stripping newlines. Omitting the ob-part of the session cookie bypasses the encoder, so injected fields land verbatim in the raw file. A subsequent request to /scripts2/listaccts triggers Cpanel::Session::Modify to promote those fields into the authoritative session cache, granting root WHM access. RCE uses the WHM JSON API passwd endpoint to set a temporary root password, then delivers the payload over SSH. The password is rotated after exploitation. This module does not restore the original root password. Affects all versions after 1
Rapid7
Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)
blogs_rapid7·2026-06-08·CVSS 8.6
CVE-2026-50751 [HIGH] Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)
## Overview
On June 8, 2026, Check Point published a security advisory for CVE-2026-50751 , a critical authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. The vulnerability affects deployments configured to use the deprecated IKEv1 key exchange protocol where gateways accept legacy Remote Access clients and do not require a machine certificate for connections.
CVE-2026-50751, classified as improper authentication ( CWE-287 ), has a CVSS score of 9.3. The vulnerability stems from a logic flow weakness in how Remote Access and Mobile Access components validate certificates during IKEv1 key exchange; successful exploitation allows an unauthenticated attacker to establish a VPN session without providing valid credentials. P
Rapid7
Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
blogs_rapid7·2026-05-29·CVSS 7.8
CVE-2026-0257 [HIGH] Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
## Overview
On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance.
Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026. As of May 29, 2026, this vulnerability has been added to the CISA KEV.
While the assigned CVSSv4 score indicates a medium severity, due to the circumstances surroundin
Hackernews
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
blogs_hackernews·2026-05-23·CVSS 10.0
CVE-2026-48172 [CRITICAL] LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild.
The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions.
"Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root," LiteSpeed said .
The vulnerability impacts all versions of the plugin between 2.3 and
Rapid7
Metasploit Wrap Up 05/22/2026
blogs_rapid7·2026-05-22·CVSS 9.8
CVE-2026-20182 [CRITICAL] Metasploit Wrap Up 05/22/2026
## Another week, another authentication bypass
Our humble Metasploit weekly(ish) blog has been blessed with a new network component vulnerability. The dynamic duo of @sfewer-r7 and @jburgess-r7 have discovered and authored the admin/networking/cisco_sdwan_vhub_auth_bypass module for CVE-2026-20182, a vulnerability gracing the Cisco Catalyst SD-WAN Controller. The devices, whose purpose is to control a software-defined (SD) wide-area-network (WAN) was unfortunately missing an extra A for authentication. An oversight that Cisco has duly patched.
Elsewhere this week, the HUSTOJ online judge platform has been caught failing to judge its own zip files (CVE-2026-24479), courtesy of a zip-slip RCE module from LoTuS and friends. Next, @Alpenlol has weaponized the small matter of Barracuda's Emai
Recorded Future
April 2026 CVE Landscape
blogs_recorded_future·2026-05-15·CVSS 9.8
CVE-2026-33032 [CRITICAL] April 2026 CVE Landscape
## April 2026 CVE Landscape
In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation , 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.
31 of the 37 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, and six were surfaced only through honeypot data. Those six CVEs associated with honeypots are available only to Recorded Future customers.
Those 37 vulnerabilities affected products from 23 vendors. Microsoft accounted for approximately 22%, while the remaining exposure was concentrated across a range of enterprise-facing vendors, particularly security and systems management tools, collaboration and
Rapid7
CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS
blogs_rapid7·2026-05-14·CVSS 7.2
CVE-2026-0265 [HIGH] CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS
## Overview
On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0265 , a signature verification vulnerability that facilitates authentication bypass on PAN-OS , the operating system that most Palo Alto Networks firewalls run. This vulnerability allows a remote unauthenticated attacker with network access to bypass authentication when Cloud Authentication Service (CAS) is enabled and attached to a login interface; the vulnerable configuration is non-default but common. CVE-2026-0265 affects PAN-OS on PA-Series and VM-Series firewalls, as well as Panorama (virtual and M-Series) appliances. Cloud NGFW and Prisma Access are not affected.
Palo Alto Networks assigned CVE-2026-0265 a “High” 7.2 CVSS score. The advisory states that the vulnerability’s severity scoring
Hackernews
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-41940 [CRITICAL] cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments.
The attack exploits CVE-2026-41940 , a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel.
According to a new report from QiAnXin XLab, the security defect has been exploited by a number of threat actors shortly after its public disclosure
Hackernews
cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
blogs_hackernews·2026-05-09·CVSS 4.3
CVE-2026-29201 [MEDIUM] cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service.
The list of vulnerabilities is as follows -
CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read.
CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could res
Rapid7
Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
blogs_rapid7·2026-05-06·CVSS 9.3
CVE-2026-0300 [CRITICAL] Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
## Overview
On May 6, 2026, Palo Alto Networks published a security advisory for CVE-2026-0300 , a critical unauthenticated buffer overflow vulnerability affecting PAN-OS PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. The vulnerability carries a CVSSv4 score of 9.3 and has been confirmed as exploited in the wild by the vendor.
CVE-2026-0300 is a buffer overflow ( CWE-787 ) in the User-ID™ Authentication Portal (also known as Captive Portal), a non-default PAN-OS feature used to map IP addresses to usernames. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with
Hackernews
Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks
blogs_hackernews·2026-05-04·CVSS 9.3
CVE-2026-41940 [CRITICAL] Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks
A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel.
The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940 , a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers
Checkpoint
4th May – Threat Intelligence Report
blogs_checkpoint·2026-05-04·CVSS 9.9
CVE-2026-26268 [CRITICAL] 4th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Medtronic, a global medical device maker, has disclosed a cyberattack on its corporate IT systems. An unauthorized party accessed data, while the company reported no impact on products, operations, or financial systems. Threat group ShinyHunters claimed the theft of 9 million records, and Medtronic is evaluating what data was expose
Hackernews
⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
blogs_hackernews·2026-05-04·CVSS 9.3
CVE-2026-41940 [CRITICAL] ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
This week, the shadows moved faster than the patches.
While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems.
The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling operations like legitimate businesses — except their product is chaos. And the underground is getting uncomfortably professional.
Here’s the full week
Bleepingcomputer
Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
blogs_bleepingcomputer·2026-05-02·CVSS 9.3
CVE-2026-41940 [CRITICAL] Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
## Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
## Lawrence Abrams
A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks.
This week, an emergency update for WHM and cPanel was released to fix a critical authentication bypass flaw that allows attackers to access control panels.
WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases.
Soon after its release, it was reported that the flaw was being actively exploited in the wild as a zero-day , with exploitation attempts dating back to late February.
Internet security
Bleepingcomputer
Critical cPanel and WHM bug exploited as a zero-day, PoC now available
blogs_bleepingcomputer·2026-04-30·CVSS 9.3
CVE-2026-41940 [CRITICAL] Critical cPanel and WHM bug exploited as a zero-day, PoC now available
## Critical cPanel and WHM bug exploited as a zero-day, PoC now available
## Bill Toulas
The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February.
It is unclear when exploitation started, but KnownHost, a hosting provider that uses cPanel, said the day the vulnerability was disclosed that "successful exploits have been seen in the wild" before a fix became available.
However, KnownHost CEO Daniel Pearson stated that the company has "seen execution attempts as early as 2/23/2026."
Newly published technical details, which can be used to develop an exploit, reveal that the issue is a "Carriage Return Line Feed (CRLF) injection in the login and session loadi
Rapid7
CVE-2026-41940: cPanel & WHM Authentication Bypass
blogs_rapid7·2026-04-29·CVSS 9.3
CVE-2026-41940 [CRITICAL] CVE-2026-41940: cPanel & WHM Authentication Bypass
## Overview
On April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM and WP Squared products. In the cPanel release notes, the bug was described as "an issue with session loading and saving." CVE-2026-41940 , the identifier subsequently assigned on April 29, 2026, has a CVSS score of 9.8 and allows unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems. First-party cPanel & WHM and WP Squared vendor advisories are available.
cPanel & WHM is web hosting control panel software used to manage websites and servers. WHM provides root-level administration, while cPanel acts as the user-facing interface. Successful exploitation of CVE-2026-41940 grants an attacker control
Bleepingcomputer
cPanel, WHM emergency update fixes critical auth bypass bug
blogs_bleepingcomputer·2026-04-29·CVSS 9.3
CVE-2026-41940 [CRITICAL] cPanel, WHM emergency update fixes critical auth bypass bug
## cPanel, WHM emergency update fixes critical auth bypass bug
## Bill Toulas
A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication.
The security issue, currently identified as CVE-2026-41940 and with a severity score of 9.8, has been addressed in an emergency update that requires running a command manually to retrieve a patched version of the software.
Owned by WebPros International, WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases.
Both products are among the most widely deployed
https://docs.cpanel.net/release-notes/release-noteshttps://docs.wpsquared.com/changelogs/versions/changelog/#13617https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flowhttps://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.pyhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940
2026-04-29
Published
2026-04-30
Added to CISA KEV
Exploited in the wild