Find notable cyber news and cases, enriched with sources, timelines, and signals.

CPanel and WHM authentication bypass (CVE-2026-41940)

Vulnerability
First reported
Last updated
Happening score
H score 89
1 unique sources, 2 articles

Summary

Hide ▲

cPanel and WHM are affected by CVE-2026-41940, an authentication bypass in the login flow that can let unauthenticated remote attackers gain control-panel access. The flaw is rated 9.8/10.0, has a patch available, and was reported as actively exploited as a 0-day, raising immediate risk for exposed servers. cPanel has pushed fixes across supported versions and urged operators to update right away.

Cases

Related Happenings

CISA KEV mitigation for LiteSpeed cPanel Plugin (CVE-2026-54420)

Advisory/Mitigation
H score38 First: 16.06.2026 08:41 Last: 16.06.2026 08:41 Sources 1

About this happening: CISA put **CVE-2026-54420** in **LiteSpeed cPanel Plugin** on the **KEV catalog**, ordering **FCEB agencies** to apply fixes by **June 18, 2026**. The flaw is a **CVSS 8.5 privile...

LiteSpeed User-End cPanel Plugin root script execution security flaw (CVE-2026-48172)

Vulnerability
H score48 First: 23.05.2026 10:35 Last: 23.05.2026 10:35 Sources 1

About this happening: **CVE-2026-48172** in the **LiteSpeed User-End cPanel Plugin** is now **actively exploited**, creating **root-level arbitrary script execution** risk for exposed cPanel systems. T...

CPanel authentication-bypass and persistent-access campaign targeting Southeast Asia

Campaign
H score44 First: 04.05.2026 12:27 Last: 04.05.2026 12:27 Sources 1

How related: The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents,

About this happening: A **previously unknown threat actor** ran a **cPanel authentication-bypass campaign** that combined public exploit code and custom access tooling to reach government, military, MS...

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
H score89 First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

How related: Censys said its scans revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure.

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

CPanel CVE-2026-41940 mitigation guidance

Advisory/Mitigation
H score89 First: 30.04.2026 14:40 Last: 30.04.2026 14:40 Sources 1

How related: The vendor strongly recommends that all customers restart the ‘cpsrvd’ service after installing the latest releases of the software:

About this happening: cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposur...

Timeline

  1. 29.04.2026 12:37 2 articles · 2mo ago

    cPanel emergency update for authentication bypass

    Initial Disclosure

    cPanel released emergency updates for an unauthenticated authentication-bypass flaw in cPanel and WHM that can let remote attackers obtain control-panel access; the issue affects all currently supported versions, has no official identifier at release, and was later tracked as CVE-2026-41940.

    Show sources
  2. 29.04.2026 12:37 1 articles · 2mo ago

    Active zero-day exploitation reported for cPanel and WHM

    Exploitation Observed

    Reports describe CVE-2026-41940 as an actively exploited zero-day against cPanel and WHM, with hosting-industry statements saying the flaw had been used in the wild for at least the last 30 days; technical analysis tied the abuse to CRLF injection in login and session loading, where manipulation of the `whostmgrsession` cookie and a malicious basic authorization header can yield administrator access.

    Show sources
  3. 29.04.2026 12:37 1 articles · 2mo ago

    Namecheap blocks management ports and cPanel urges patching

    Mitigation Patch Update

    Namecheap applied a firewall rule to block TCP ports 2083 and 2087, temporarily restricting customer access to cPanel and WHM interfaces until patching was complete, while cPanel urged administrators to update with `/scripts/upcp --force`, verify the build, restart services, or temporarily block inbound traffic on ports 2083, 2087, 2095, and 2096 or stop `cpsrvd` and `cpdavd`; the fix was reported as applied across Namecheap servers by April 29, 2026, 02:42 a.m. UTC.

    Show sources
  4. 29.04.2026 12:37 1 articles · 2mo ago

    CISA adds CVE-2026-41940 to KEV

    Legal Policy Action Update

    CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog and set a May 3, 2026 deadline for Federal Civilian Executive Branch agencies to apply the patches, increasing remediation urgency for exposed cPanel and WHM management interfaces.

    Show sources