CVE-2026-41940 lets attackers remotely bypass cPanel/WHM login to gain full admin access; exploitation confirmed since at least February 23.
Key Takeaways
The auth-bypass affects all supported cPanel and WHM versions; cPanel urges immediate patching across tens of millions of affected installs.
KnownHost found exploit attempts dating back to February 23, months before public disclosure; ~30 servers showed unauthorized access attempts.
Namecheap temporarily blocked customer cPanel access to prevent exploitation while patching; HostGator classified it as a “critical authentication-bypass exploit.”
Canada’s national cybersecurity agency warns exploitation is “highly probable” and flags shared hosting environments as especially at risk.
cPanel also patched WP Squared, its WordPress management tool, in the same release cycle.
