Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CPanel and WHM authentication bypass (CVE-2026-41940)

Vulnerability
First reported
Last updated
Happening score
H score 64
1 unique sources, 2 articles

Summary

Hide ▲

cPanel and WHM are affected by CVE-2026-41940, an authentication bypass in the login flow that can let unauthenticated remote attackers gain control-panel access. The flaw is rated 9.8/10.0, has a patch available, and was reported as actively exploited as a 0-day, raising immediate risk for exposed servers. cPanel has pushed fixes across supported versions and urged operators to update right away.

Cases

CVE-2026-41940 exploitation pushes cPanel and WHM remediation (6)

Related Happenings

LiteSpeed User-End cPanel Plugin root script execution security flaw (CVE-2026-48172)

Vulnerability
First: 23.05.2026 10:35 Last: 23.05.2026 10:35 Sources 1

About this happening: **CVE-2026-48172** in the **LiteSpeed User-End cPanel Plugin** is now **actively exploited**, creating **root-level arbitrary script execution** risk for exposed cPanel systems. T...

Open Happening

CPanel authentication-bypass and persistent-access campaign targeting Southeast Asia

Campaign
First: 04.05.2026 12:27 Last: 04.05.2026 12:27 Sources 1

How related: The actor built a durable access layer using OpenVPN, Ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of Chinese railway-sector documents,

About this happening: A **previously unknown threat actor** ran a **cPanel authentication-bypass campaign** that combined public exploit code and custom access tooling to reach government, military, MS...

Open Happening

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

How related: Censys said its scans revealed approximately 15,000 potentially compromised instances within the first 24 hours following disclosure.

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

CPanel CVE-2026-41940 mitigation guidance

Advisory/Mitigation
First: 30.04.2026 14:40 Last: 30.04.2026 14:40 Sources 1

How related: The vendor strongly recommends that all customers restart the ‘cpsrvd’ service after installing the latest releases of the software:

About this happening: cPanel issued mitigation guidance for **CVE-2026-41940** after fixes became available for **cPanel, WHM, and WP Squared**, urging customers to restart **cpsrvd** to reduce exposur...

Open Happening

CISA KEV patch directive for CVE-2025-53521

Advisory/Mitigation
First: 30.03.2026 10:07 Last: 30.03.2026 10:07 Sources 1

About this happening: CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...

Open Happening

Timeline

  1. 29.04.2026 12:37 2 articles · 28d ago

    cPanel emergency update for authentication bypass

    Initial Disclosure

    cPanel released emergency updates for an unauthenticated authentication-bypass flaw in cPanel and WHM that can let remote attackers obtain control-panel access; the issue affects all currently supported versions, has no official identifier at release, and was later tracked as CVE-2026-41940.

    Show sources
    Open in new tab
  2. 29.04.2026 12:37 1 articles · 28d ago

    Active zero-day exploitation reported for cPanel and WHM

    Exploitation Observed

    Reports describe CVE-2026-41940 as an actively exploited zero-day against cPanel and WHM, with hosting-industry statements saying the flaw had been used in the wild for at least the last 30 days; technical analysis tied the abuse to CRLF injection in login and session loading, where manipulation of the `whostmgrsession` cookie and a malicious basic authorization header can yield administrator access.

    Show sources
    Open in new tab
  3. 29.04.2026 12:37 1 articles · 28d ago

    Namecheap blocks management ports and cPanel urges patching

    Mitigation Patch Update

    Namecheap applied a firewall rule to block TCP ports 2083 and 2087, temporarily restricting customer access to cPanel and WHM interfaces until patching was complete, while cPanel urged administrators to update with `/scripts/upcp --force`, verify the build, restart services, or temporarily block inbound traffic on ports 2083, 2087, 2095, and 2096 or stop `cpsrvd` and `cpdavd`; the fix was reported as applied across Namecheap servers by April 29, 2026, 02:42 a.m. UTC.

    Show sources
    Open in new tab
  4. 29.04.2026 12:37 1 articles · 28d ago

    CISA adds CVE-2026-41940 to KEV

    Legal Policy Action Update

    CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog and set a May 3, 2026 deadline for Federal Civilian Executive Branch agencies to apply the patches, increasing remediation urgency for exposed cPanel and WHM management interfaces.

    Show sources
    Open in new tab