Signal

Critical authentication bypass vulnerability in cPanel and WHM exploited as zero-day

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-29 09:37 UTCUpdated 2026-04-30 13:40 UTC

redditrss

cvevulnerabilitysecurityincident_responseadvisorymalware

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (11)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

cPanel zero-day exploited for months before patch release (CVE-2026-41940)

Help Net Security · News · helpnetsecurity.com · 2026-04-30 13:40 UTC

Warning: Critical authentication bypass in cPanel & WHM, Patch Immediately!

CERT.BE (BE) - Advisories · News · ccb.belgium.be · 2026-04-30 12:16 UTC

Kritieke kwetsbaarheid in cPanel- en WHM-producten

NCSC NL (News) · News · ncsc.nl · 2026-04-30 11:25 UTC

Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months

SecurityWeek · News · securityweek.com · 2026-04-30 11:10 UTC

View all evidence

Overview

A critical authentication bypass vulnerability (CVE-2026-41940) affecting cPanel, WebHost Manager (WHM), and WP Squared products has been actively exploited as a zero-day for months before a patch was released on April 28, 2026.

Entities

cPanelKnownHostWP SquaredIonut ArghireZeljka Zorz

Score total

2.33

Momentum 24h

11

Posts

11

Origins

10

Source types

2

Duplicate ratio

9%

Why now

Zero-day exploitation has been ongoing for months before patch release.
Approximately 1.5 million cPanel instances are potentially vulnerable online.
Multiple national cybersecurity agencies have issued urgent advisories and patches.

Why it matters

Allows attackers to gain root-level access to millions of web hosting servers.
Exploitation can lead to full control over websites and server configurations.
Highlights importance of rapid patching for widely used hosting control panels.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel and WHM allowing unauthenticated administrative access.
The vulnerability has been actively exploited as a zero-day for months before the patch release in April 2026.
Emergency patches are available and administrators are urged to update immediately to mitigate risk.

How sources frame it

Rapid7: neutral
Canadian Centre For Cyber Security: neutral
SecurityWeek: neutral

All evidence

All evidence

cPanel zero-day exploited for months before patch release (CVE-2026-41940)

Help Net Security · helpnetsecurity.com · 2026-04-30 13:40 UTC

Warning: Critical authentication bypass in cPanel & WHM, Patch Immediately!

CERT.BE (BE) - Advisories · ccb.belgium.be · 2026-04-30 12:16 UTC

Kritieke kwetsbaarheid in cPanel- en WHM-producten

NCSC NL (News) · ncsc.nl · 2026-04-30 11:25 UTC

Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months

SecurityWeek · securityweek.com · 2026-04-30 11:10 UTC

Bug of the year (so far)? Nasty cPanel vulnerability probably exploited as a 0-day

The Register Security · go.theregister.com · 2026-04-30 10:14 UTC

Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026

blueteamsec · support.cpanel.net · 2026-04-30 06:26 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 6 / 0

Top publishers (this list)

Help Net Security (1)
CERT.BE (BE) - Advisories (1)
NCSC NL (News) (1)
SecurityWeek (1)
The Register Security (1)
blueteamsec (1)

Top origin domains (this list)

helpnetsecurity.com (1)
ccb.belgium.be (1)
ncsc.nl (1)
securityweek.com (1)
go.theregister.com (1)
support.cpanel.net (1)