Ten days after CVE-2026-41940 ransomware hit 44,000 servers, cPanel issued a second emergency TSR patching three more CVEs, two rated CVSS 8.8.
Key Takeaways
CVE-2026-41940 (CVSS 9.8) was exploited as a zero-day for roughly two months before the April 28 patch; attackers deployed a Go-based Linux encryptor called “Sorry.”
Second TSR (May 8) covers: CVE-2026-29201 arbitrary file read (CVSS 4.3), CVE-2026-29202 arbitrary Perl code execution via create_user API (CVSS 8.8), CVE-2026-29203 privilege escalation via unsafe symlink/chmod (CVSS 8.8).
CVE-2026-29202 and CVE-2026-29203 are chainable: inject Perl code to create a symlink, then use chmod escalation for deeper system access on shared hosts.
Patch now: run /scripts/upcp as root, restart cpsrvd, verify version. Force flag required if auto-updates are disabled.
If your server was unpatched between late February and April 28, audit logs from Feb 23 and scan home directories for .sorry files before considering it clean.
Hacker News Comment Review
Consensus is that cPanel’s attack surface reflects an aging codebase with weak sandboxing; shared hosting tenants can run code with minimal guardrails, making CVSS 8.8 auth-required flaws effectively low-bar exploits.
Commenters note cPanel updates are pushed by cPanel itself unlike OS-level patching, which partially offsets the risk for hosts that haven’t pinned their tier or disabled auto-updates.
There is skepticism that sophisticated operators still rely on cPanel at all, but practical pushback points out it remains the dominant panel for small shared hosts needing one-click TLS, domains, and email.
Notable Comments
@rickdg: frames why cPanel persists despite criticism – “there aren’t that many ways for a normie to create their own (sub)domain with TLS and an email in under five minutes.”
@zb3: sarcastically implicates AI-assisted research accelerating exploit discovery, consistent with the article’s claim that the CVE-to-exploitation window is shrinking to days.
