SECURITYWEEK reports that hackers have been exploiting a critical authentication bypass in cPanel & WHM, tracked as CVE-2026-41940, with a CVSS score of 9.8, since February 23, 2026, according to KnownHost via a Reddit post and other industry observers. The flaw affects the login flow, enabling remote, unauthenticated attackers to gain administrative access and potentially takeover the cPanel host, its configurations and websites on shared hosting servers.
The Canadian Centre for Cyber Security points out that successful exploitation could allow an attacker to modify server configurations and compromise all websites on affected servers, while Rapid7 notes the broader impact of gaining control over the host and its databases. A Shodan search cited in the coverage shows around 1.5 million internet‑accessible cPanel instances exposed to risk.
Patches were released in several updates, with fixes included in cPanel & WHM versions 11.86.0[.]41, 11.110.0[.]97, 11.118.0[.]63, 11.126.0[.]54, 11.130.0[.]19, 11.132.0[.]29, 11.136.0[.]5, and 11.134.0[.]20, plus WP Squared 136.1.7, and some hosting providers acted quickly to block access while patches were deployed, according to SecurityWeek.