CVE-2026-41940

CRITICAL

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVSS v3.1 Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Complexity

LOW

Privileges

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Published: 4/29/2026Modified: 5/4/2026

Related Intelligence (8)

CRITICALVulnerability

cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control

CVE-2026-41940

1h agoThe Hacker News

MEDIUMVulnerability

Searching for bulletproof detections in cPanel Land: Hunting for CVE-2026-41940: Building Detections for the exploit, not the PoC

[object Object]

CVE-2026-41940

3d agor/blueteamsec

CRITICALZero Day

Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

The attacks likely target CVE-2026-41940, a recently patched zero-day leading to administrative access. The post Over 40,000 Servers Compromised in Ongoing cPanel Exploitation appeared first on SecurityWeek .

CVE-2026-41940

May 4, 2026SecurityWeek

MEDIUMVulnerability

South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940)

[object Object]

CVE-2026-41940

May 3, 2026r/blueteamsec

HIGHRansomware

Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks

A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. [...]

CVE-2026-41940

May 2, 2026BleepingComputer

MEDIUMVulnerability

CVE-2026-41940 cPanel Exploitation From a Honeypot Perspective

[object Object]

CVE-2026-41940

May 2, 2026r/cybersecurity

MEDIUMVulnerability

Federal agencies must patch cPanel bug by Sunday, CISA says

Incident responders at Rapid7 said successful exploitation of CVE-2026-41940 “grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages.”

CVE-2026-41940

May 1, 2026The Record

CRITICALZero Day

Critical cPanel and WHM bug exploited as a zero-day, PoC now available

The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February. [...]

CVE-2026-41940

Apr 30, 2026BleepingComputer

References (9)

https://docs.cpanel.net/release-notes/release-notesRelease Notes https://docs.wpsquared.com/changelogs/versions/changelog/#13617Release Notes https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026Vendor Advisory https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026Third Party Advisory https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flowThird Party Advisory https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/ExploitThird Party Advisory https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/Press/Media Coverage https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.pyExploitThird Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940US Government Resource