Signal
Critical cPanel and WHM authentication bypass vulnerability exploited as zero-day for months
Evidence first: scan the strongest sources, then decide whether to go deeper.
redditrss
cveexploitssecurity_toolingincident_responsesecurity_policy
Trend in the last 24h
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
A severe authentication bypass vulnerability (CVE-2026-41940) affecting cPanel, WHM, and WP Squared has been actively exploited in the wild since at least February 2026. The flaw allows attackers to gain unauthorized administrative access, including root privileges, to vulnerable servers.
Entities
cPanelWP SquaredKnownHostRapid7watchTowrCybersecurity and Infrastructure Security AgencyAusCERTNationaal Cyber Security Centrum
Score total
2.19
Momentum 24h
9
Posts
9
Origins
9
Source types
2
Duplicate ratio
0%
Why now
- Exploitation has been ongoing since at least February 2026, with patches only recently released.
- CISA and multiple national CERTs have issued urgent advisories highlighting the critical risk.
- Immediate patching is essential to prevent further unauthorized access and potential damage.
Why it matters
- The vulnerability enables attackers to gain root-level access, risking full server compromise.
- Millions of cPanel instances are exposed online, increasing the attack surface significantly.
- Delayed patching allowed months of active exploitation before mitigation was available.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel and WHM actively exploited in the wild since at least February 2026.
- Emergency patches were released on April 28, 2026, but exploitation had been ongoing for months prior to the fix.
- The vulnerability allows attackers to gain unauthorized root access by exploiting a CRLF injection flaw in login and session handling.
How sources frame it
- CyberScoop: neutral
- SecurityWeek: neutral
- Nationaal Cyber Security Centrum: neutral
All evidence
All evidence
Critical cPanel vulnerability actively exploited in the wild
SC Media · scworld.com · 2026-04-30 23:13 UTC
cPanel’s authentication bypass bug is being exploited in the wild, CISA warns
CyberScoop · cyberscoop.com · 2026-04-30 20:49 UTC
cPanel zero-day exploited for months before patch release (CVE-2026-41940)
Help Net Security · helpnetsecurity.com · 2026-04-30 13:40 UTC
Warning: Critical authentication bypass in cPanel & WHM, Patch Immediately!
CERT.BE (BE) - Advisories · ccb.belgium.be · 2026-04-30 12:16 UTC
Kritieke kwetsbaarheid in cPanel- en WHM-producten
NCSC NL (News) · ncsc.nl · 2026-04-30 11:25 UTC
Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months
SecurityWeek · securityweek.com · 2026-04-30 11:10 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -
Showing 6 / 0
Top publishers (this list)
- SC Media (1)
- CyberScoop (1)
- Help Net Security (1)
- CERT.BE (BE) - Advisories (1)
- NCSC NL (News) (1)
- SecurityWeek (1)
Top origin domains (this list)
- scworld.com (1)
- cyberscoop.com (1)
- helpnetsecurity.com (1)
- ccb.belgium.be (1)
- ncsc.nl (1)
- securityweek.com (1)