ACCORDING to CISA, the Known Exploited Vulnerabilities (KEV) catalog currently lists CVE-2026-41940 for WebPros cPanel & WHM and WP2 (WordPress Squared). The entry describes a Missing Authentication for Critical Function vulnerability in the login flow, allowing unauthenticated remote attackers to gain unauthorized access to the WebHost Manager control panel. It notes a related CWE of 306 and states that it is Unknown whether it is Known To Be Used in Ransomware Campaigns.
The date added is 30 April 2026, with a due date of 3 May 2026, and guidance advises applying mitigations per vendor instructions or discontinuing use of the product if mitigations are unavailable. Related notes provide links to security updates and release notes from cPanel and WP2, and to the NVD entry for CVE-2026-41940. This KEV entry emphasises prioritising remediation within vulnerability management programmes and following applicable guidance for cloud services under BOD 22-01.