ON 30 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑41940 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects WebPros’ cPanel & WHM and WP2 (WordPress Squared) platforms. It is tracked as the ‘WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability’ and permits unauthenticated remote attackers to bypass login controls and access the control panel.
The vulnerability is an authentication bypass in the login flow, allowing an attacker without credentials to send crafted requests that grant full administrative access to the affected system. It can be exploited over the network, requires no user interaction, and leads to complete compromise of confidentiality, integrity and availability. The CVSS v3.1 base score is 9.8, rated Critical. A security update addressing the issue was released by WebPros on 28 April 2026, so a patch is available.
Because the entry appears in the KEV catalogue, CISA has confirmed that the vulnerability is being actively exploited in the wild. No public reports link this flaw to ransomware campaigns at this time. Federal civilian executive branch (FCEB) agencies must apply the required mitigation by 3 May 2026, the remediation due date specified by CISA.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable Binding Operational Directive (BOD) 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the directive binds FCEB agencies, CISA advises all organisations to review their exposure to cPanel & WHM and WP2 (WordPress Squared) and implement the patch or mitigations without delay.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-41940 and the CISA KEV catalogue.