THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in WebPros cPanel to its Known Exploited Vulnerabilities catalog, tracked as CVE-2026-41940, a login-flow authentication bypass affecting cPanel and WHM versions after 11.40 with a CVSS score of 9.3.
Cybersecurity researchers at watchTowr disclosed the flaw earlier this week and released a tool to help defenders identify vulnerable hosts, while Shadowserver Foundation reports that thousands of instances may be exposed and notes ongoing attacks. Exploits date back to February, and Namecheap warned customers of temporary access limits to mitigate risk.
CISA also requires federal agencies to address the vulnerability by 3 May 2026 under Binding Operational Directive 22-01, and private organisations are urged to review the KEV Catalog and patch their infrastructure accordingly. The advisory highlights that the weakness lies in the login flow, enabling remote attackers to bypass authentication and potentially take control of hosting settings or access sensitive data.