CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Authentication bypass vulnerability in cPanel and WHM exploited as zero-day prior to patch

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel, WHM, and WP Squared was exploited as a zero-day in the wild with observed activity dating back to February 23, 2026. The flaw, a Carriage Return Line Feed (CRLF) injection in login and session loading processes, allowed attackers to gain full control over cPanel hosts, their configurations, databases, and managed websites without valid credentials. Exploitation attempts were detected before a fix was released, prompting emergency measures such as port blocking by Namecheap and rapid vendor patching on April 28, 2026. The vulnerability impacts cPanel versions 11.40 and later, with approximately 1.5 million exposed instances identified via Shodan scans. Immediate patching and service restarts are recommended, with emergency mitigations available for unpatched systems.

Timeline

  1. 30.04.2026 14:40 1 articles · 1h ago

    Zero-day authentication bypass in cPanel and WHM (CVE-2026-41940) exploited in the wild before patch

    Exploitation of CVE-2026-41940 began no later than February 23, 2026, enabling attackers to bypass authentication via CRLF injection in login and session loading processes. Successful exploitation grants full control over cPanel hosts, configurations, databases, and managed websites without valid credentials. cPanel released fixes on April 28, 2026, addressing versions 11.110.0 through 11.136.0 and WP Squared 11.136.1. Emergency mitigations included port blocking and service suspensions.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-41940 is an authentication bypass vulnerability in cPanel, WHM, and WP Squared caused by improper session handling and CRLF injection in login and session loading processes.

    First reported: 30.04.2026 14:40
    1 source, 1 article
    Show sources

  • Active exploitation of CVE-2026-41940 was observed in the wild as early as February 23, 2026, with successful attacks reported prior to patch availability.

    First reported: 30.04.2026 14:40
    1 source, 1 article
    Show sources

  • Technical details and a proof-of-concept enabling exploitation were published after disclosure, demonstrating how attackers could log in without validating passwords.

    First reported: 30.04.2026 14:40
    1 source, 1 article
    Show sources

  • cPanel released fixes on April 28, 2026, addressing versions 11.110.0 through 11.136.0 and WP Squared 11.136.1, with patched builds listed (e.g., 11.136.0.5).

    First reported: 30.04.2026 14:40
    1 source, 1 article
    Show sources

  • Rapid mitigation steps were recommended, including blocking ports 2083, 2087, 2095, and 2096, stopping core services (cpsrvd, cpdavd), and using a vendor-supplied detection script to identify compromise.

    First reported: 30.04.2026 14:40
    1 source, 1 article
    Show sources

  • Approximately 1.5 million cPanel instances are exposed online according to Shodan scans, though the number vulnerable to CVE-2026-41940 is not quantified.

    First reported: 30.04.2026 14:40
    1 source, 1 article
    Show sources